While burning contractors and suppliers, Nexius’s facade exposed a possible terrorist cell site security hole

In Featured News by Wireless Estimator

T-Mobile

T-MOBILE, A FREQUENT TARGET of hackers that cost the carrier hundreds of millions of dollars in a class action lawsuit, is adamant about network security and informed telecom developer Nexius that it had to cease using offshore cell site technicians in Lebanon that had access to its nodes behind a firewall to manage maintenance issues and trouble tickets. Nonetheless, according to emails obtained by Wireless Estimator, Nexius cloaked its offshore techs as stateside. They continued using their Beirut-based associated company, Novelus, to manage trouble tickets for alarms and other network issues. The non-compliance concern raises additional security matters, exposing how easy it would be for technicians to shut down a cluster of cell sites for criminal or terrorist actions. The Cybersecurity and Infrastructure Security Agency said adversaries could use those network administrative tools to create a significant outage or terrorist act.

As Nexius used ‘every trick’ to keep contractors working, although the company knew they would never pay them, the wireless infrastructure developer reportedly continued scamming T-Mobile by using a Nexius-aligned company in Lebanon that was prohibited from accessing T-Moble’s network – possibly exposing a network security threat to the nation’s second-largest mobile operator, according to sources familiar with the ruse.

When Nexius and its umbrella companies closed their doors earlier this year, MasTec Network Solutions (MNS) had already completed an arrangement with Nexius’s secured lender, PNC Bank, to acquire Nexius’s assets, but none of the debt owed to vendors, suppliers, and contractors. The deal had reportedly been put together in less than 30 days.

However,  MasTec offered to all Nexius’s creditors in early March to disclose what is owed to them to resolve their claims against Nexius.

It was seen then as an exercise in futility since industry observers believed the offer was only proposed to keep liens from being placed on ongoing projects, the majority of the work being for AT&T sites.

Earlier this week, three distributors, one owed over $1 million, said they had yet to hear back from MasTec.

Contractor isn’t buying into Nexius chairman’s altruism
At

MasTec Network Solutions President (second from right) Rick Suarez lauded Nexius Chairman Nabil Taleb, at right, for unselfishly wanting to create a new home for his employees during a March video presentation to Nexius employees.

During a MasTec video broadcast to Nexius’s employees announcing the acquisition in March and their onboarding plans that could take up to three months, MasTec Network Solutions Group President Rick Suarez championed Nexius Chairman Nabil Taleb’s leadership.

“Last thing I’ll say is I want to give credit to Nabil because this whole focus for him, and I know you’ve heard him say this already, he’s not getting anything out of this other than his assurance that his team is going to find a home that’s good for the team. And throughout this, he could’ve bailed out a lot easier, a lot quicker, but he’s stuck through this because he cares about you,” said Suarez.

But it appears that Taleb didn’t care about his suppliers or contractors, and in an earlier broadcast to his employees, he said, “While we lost many folks last year, there is a core team that would not quit, would not surrender, would not believe we cannot make it. Warriors who simply won’t quit. Warriors who simply want to win. We used every relationship with GCs to keep supporting us. We could not buy material anymore. So we analyzed the hell out of our inventory to optimize the amount of sites we can build with what we have.”

Perhaps the more telling questionable company position that Nexius had been taking for over a year when leadership knew that the company was failing and was not salvageable, but allowed executives to benefit, was when Taleb looked to the camera, smiled, and proudly said, “We used every trick possible to do the impossible.”

It is still being determined how many millions of dollars were lost through Nexius’s charades since Nexius liquidated its assets, is ceasing operations, and has not filed for bankruptcy, which would list its indebtedness and creditors.

A contractor who lost money when Nexius crashed and burned found Taleb’s selfless concern statement disingenuous.

“The only reason why he stuck it out, in the end, is because he probably benefitted somehow and perhaps still is. We will not know since Nexius has closed the door on any accountability. Or, at best, he was still drawing a salary and perks while many workers got laid off,” he said.

Has Leadership pulled up roots and disappeared?
Nexius

Nexius Chairman Nabil Taleb is reportedly overseeing Novelus at its headquarters in Beirut, Lebanon, where he has full or part ownership. Novelus still provides network services throughout the world and has additional offices in the UAE, Tunisia, Argentina, and Cyprus. If it is under contract to perform services in the U.S., there will likely be a stipulation that they are paid in U.S. currency since Lebanon’s embattled currency has hit new lows with one Lebanese pound trading yesterday on the black market at 93,900 for one U.S. dollar. As a result, Lebanon is now unofficially using the U.S. dollar as its default currency rather than the official exchange rate of 15,000 LP for one U.S. dollar.

Whereas the company’s deceit has caused some contractors to close their doors or sever their workforce, executives and management are typically not liable for any debt exposure unless they signed as a primary obligor or guarantor.

Nexius CEO Gaby Saliby was neither at the MasTec presentation nor Taleb’s video call to announce the upcoming acquisition by the Coral Gables, FL firm.

In Frisco, TX, where Nexius had its headquarters, he put his five-bedroom six-bath home up for sale in March for $1.1 million, and it is currently under contract.

However, his Lighthouse Point, FL waterfront home, valued at over $3 million, is still owned by him and his wife.

Taleb does not own any homes in the surrounding counties of Frisco. However, they may be held by a corporation he has set up. Nexius is owned by NWON, whose corporate registration is in Delaware.

It’s been reported that he moved to Beirut, Lebanon, to oversee Novelus, a company he founded as Wicom in 2007, to support the software solutions development at Nexius, where he has full or part ownership.

Wicom changed its name to Novelus in 2015, with Samer Kehdy as its President while serving as Nexius’s Vice President of International Operations until June 2019. The company has offices in Dubai – UAE, Tunisia, Argentina, and Cyprus. It says it has a team of over 1,000 resources but doesn’t identify its employee count.

T-Mobile uncovers Nexius’s offshore tech support scam 

To assist subcontractors’ technicians and their techs in addressing their maintenance and installation tickets for carrier builds that Nexius was managing, the company developed a stateside team of around 15 technicians to assist with any PIM or other issues that occurred, as well as provide NOC support.

Managers were being paid up to $90,000. However, according to multiple Wireless Estimator sources, they became concerned when Novelus entered the space.

“At first,” said one employee, “we became aware that Novelus was handling some of the tickets in Lebanon, and we were informed it was okay since it was a Nexius company.”

However, he said although he worked with them because they needed to be more knowledgeable, he became unnerved that he might be training his replacement.

“I don’t know what they were being paid, but it must have been at least one-third or less of what we made,” said another tech.

“We had a central server, a tool developed by Nexius called the remote server app (RSA), and I would take a ticket to work on and start adding my notes. Then when I refreshed it, the ticket had been taken by a Lebanese tech,” he said. “This happened too often, and to others stateside as well.”

On April 27, 2021, a Nexius support bridge manager sent 30 members of his Nexius team the following cautionary email:

“Hey Team,
Just a reminder, TMO wants all their technicians who are working in the node to be stateside techs.
Please be aware when communicating to not reveal we have offshore techs in Lebanon.”

Whether it was a Nexius tech that informed T-Mobile or an alert T-Mobile technician, three months later, the carrier found out Nexius had been offshoring support and demanded that they stop,

On August 4, 2021, the Novelus manager for T-Mobile located in Lebanon sent his tech support the following email:

IMPORTANT! Team, TMO found out that we are in LBN, all TMO resrouces (SIC) STOP immidiately (SIC) all your work and handover all your sites. Disconnect from all TMO tools and stand down please(.) Moderator (Redacted) US Team needs to take over(.) all TMO logout from everything and stop until further notice(.)”.

According to two sources, Nexius continued to use Novelus for tech support. However, the software-centric company used a virtual private network or another method to spoof their location so that it appeared that support services were being conducted in the U.S.

AT&T was also managed offshore by Novelus

Nexius and Novelus teams managed AT&T’s trouble tickets and alarms without the carrier being concerned about Novelus’s Beirut location.

However, it’s possible that they weren’t aware of Nexius’s offshore participation or that it wasn’t a concern.

In late 2022 and early 2023, Nexius laid off many of its stateside network help desk technicians but continued supporting AT&T with its Lebanon technicians. Reportedly, Novelus is still used for their XTAC NOC, integration, RF, IT, and HR services and other platforms.

An AT&T media representative informed Wireless Estimator that they would find out if AT&T allows offshore technical assistance to provide services to U.S. companies maintaining their network cell sites and new builds. Still, they did not reply to multiple follow-up requests.

Cell site security could be easily compromised

According to three technicians interviewed by Wireless Estimator, cell site security should be a primary concern of carriers when they allow a contractor’s support team to access the nodes in their cell site network to assist with trouble tickets.

The techs had access to T-Mobile’s nodes. Still, they were primarily dedicated to AT&T’s sites and said they would assist their tower or subcontracted crews whenever there was an alarm or installation problem.

Although they could often talk the crew through a procedure to manage the problems, they would frequently have to access the base station by logging into the carrier’s network through a third-party application on their desktop that generated an encrypted password that would be used along with their assigned user identification number (UID).

Once past a firewall, they would have complete control of the node’s operational support system (OSS) and be able to view and manage all of the power settings, down tilt, PIM, and other levels and address and close an alarm.

Although they’re required to request permission from AT&T’s NOC support to perform a soft or hard system lock, they maintain complete control of the site and would never shut off a site without permission; but they said they still kept full control.

They explained that nothing would prevent them from simultaneously opening multiple sites in a cluster and locking them down. In addition, they could close down AT&T’s FirstNet, the mission-critical wireless network for first responders and public safety professionals that doesn’t compete with commercial networks.

They said that they believed if a lousy actor had access to the OSS, they could create havoc and purposely collapse a wide area of cell coverage to carry out a criminal or terrorist act.

They acknowledged that it is likely that AT&T, Verizon, T-Mobile, and other carriers have contingency plans in place to restore service if a malicious attack on any part of their network occurs. Still, they are convinced that it wouldn’t be resolved immediately if a compromised technician set up their scripts, changed site configurations, deleted optical links, and put in place other barriers.

They noted that often the carrier is only aware of a problem an hour or two later, mainly if the shutdown or other alarm occurs during their night-time maintenance window hours.

“It’s simple,” said one technician, “Once you are allowed into the network, it’s like someone giving you a key to the front door to their business. You’re allowed to open doors elsewhere in the company, but when there is another locked door, it’s not so difficult to force that open and steal whatever is in there or create mayhem.”

The technicians provided hypotheticals of a rogue tech’s ability to cripple communications that would make a James Patterson terrorist plotline blush with envy.

MasTec’s tech help desk mirrors Novelus

In Suarez’s acquisition conference video, he said the industry has provided “more opportunities than I can take in today.”

He noted that acquiring Nexius’s assets would “bring in some efficiencies that we can apply globally across the business.”

It is not known if MasTec will be hiring some of Nexius’s help desk technicians since in 2019 MasTec acquired QuadGen Wireless Solutions for $80 million, and the company provides similar network integration and troubleshooting services as well as other RF engineering and constructions services provided by their staff of approximately 600 engineers.

With a co-headquarters office in King of Prussia, PA, and Bangalore, India, QuadGen has a location in Taiwan.

In March 2019 QuadGen said that it had signed an agreement to open a regional hub in Dubai in the United Arab Emirates to create a strong presence in the Middle East, but it never opened. The company later opened a regional hub in Oman.

On its website, QuadGen states that it manages all base station fieldwork required for alarm clearing. It also says it has over 120,000 operational support system (OSS) supported sites.

MasTec has yet to respond to a request as to whether they use their offshore personnel to service their stateside tower crews or are using Novelus technicians in Beirut to manage trouble tickets and maintenance issues.

Network cyberattack results in T-Mobile improving its security measures

A week after T-Mobile notified Novelus to log out of its network and cease operations, the carrier announced that it had a malicious cyberattack on its systems.

Although the breach had been contained around August 18, 2021, the company revealed that more than 76.6 million current and former customers’ information had been accessed.

In a blog post, CEO Mike Sievert  said the hacker, later found to be a 21-year-old American who lived in Turkey, “leveraged their knowledge of technical systems, along with specialized tools and capabilities, to gain access to our testing environments and then used brute force attacks and other methods to make their way into other IT servers that included customer data.”

According to The Wall Street Journal, the hacker, John Binns, said their security was “awful,” and he used an unprotected router to access the records.

To take their security efforts to the next level, T-Mobile said they had hired cybersecurity experts at Mandiant and consulting firm KPMG LLP and later invested $150 million in its cyber security systems.

However, on January 5, 2023, T-Mobile announced that “a bad actor” had stolen the personal information of 37 million current postpaid and prepaid customer accounts through one of its Application Programming Interfaces (APIs).

An API is a software interface or mechanism commonly used by applications or computers to communicate with each other. For example, many companies use APIs so that their external partners can retrieve internal data as long as they pass the proper authentication tokens.

One Nexius employee, who had access to the T-Mobile and AT&T OSS, said that malicious use once inside could create a cyberattack and cause “…network shutdowns and mass havoc once they’ve found a back door.”

U.S. State Department: It’s easy for China to hack telecom infrastructure

Cell-Site-SecurityAlthough telecom hackers are more commonly focused on espionage, ransomware, and selling data, it’s seldom that their effort is to disrupt network signals. However, the software-related infrastructure required to achieve 5 G’s favorable capabilities invites a variety of security vulnerabilities and opportunities.

The first 5G weakness is that network functions once performed by purpose-built hardware are now being virtualized in software that, as has always been the case, is hackable.

After learning last month that China could launch cyber attacks against critical infrastructure, as the U.S. State Department revealed, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said it was working to understand “the breadth of potential intrusions and associated impacts.”

“In these cases, the adversary is often using legitimate credentials and legitimate network administration tools to gain access to execute their objectives on a target network,” said CISA’s executive assistant director, Eric Goldstein, in a Reuters interview, adding credibility to the possible scenarios envisioned by telecom technicians that someone could use their credentials to create a significant outage or an even greater terrorist action.

In another concerning statement, Microsoft said last month that State-backed Chinese hackers have been targeting U.S. critical infrastructure, such as communications, and could be laying the technical groundwork for a potential disruption of critical communications.

Nexius acquisition is the second  major turfer’s assets MasTec has picked up

MasTec’s price for the Nexius assets is unknown, but industry observers have speculated that it was a minimal amount for the company, whose primary client was AT&T.

The acquisition was not filed with the Securities and Exchange Commission (SEC) since it was likely not considered a material change that investors should be informed of since MasTec reported $2.6 billion in revenue for the first quarter of 2023.

The last major pure telecom play for MasTec was when they acquired WesTower Communications, Inc. for $199 million in 2014.

MasTec was able to buy WesTower’s assets and hire many of its 1,600 employees at a fire sale price since the company had been struggling to capture its AT&T receivables which provided approximately 70% of its revenues.

“It’s a very low-risk deal. We’re getting the majority of the purchase price in acquired assets. So really, our at-risk capital is pretty limited in this deal, and it’s why we like it so much,” said MasTec CEO Jose Mas.

Before the onboarding, MasTec was still the country’s largest telecom contractor

MasTec Network Solutions is the nation’s largest telecommunications infrastructure provider. Suarez said in March, the telecommunications group employed about 7,000 people, about 85% of them being boots on the ground. How the employee count will increase after Nexius’s employees are onboarded is unknown. Nexius said it had about 780 employees in 2022, but many were laid off as the company tried to stay afloat.

Nexius employees are being hired by MNS South, LLC, a limited liability company established on January 17, 2023, that will be managed by MasTec Network Solutions.

“My expectation is other than the fact that you really are onboarding into another company, I don’t think you’re going to see much of any difference in terms of, whether it’s compensation or benefits. If you think about MasTec, we have a 401k; we have stock purchase plans. So if anything, I think you’re going to find some upside on the benefits package on where we’re going. But again, I just say, bear with us a little bit because it’s going to take, I would say, a couple of months to get that all ironed out.” Suarez informed Nexius employees in March.

Suarez emphasized to potential employees, “We run our business like a small business. There’s no bureaucracy in our business,” and said as a family organization; they will focus on their well-being, their safety, and work getting done. “I think you’re going to see that you ended up in a great place, and we really want you to be here,” Saurez said.

Historically, the majority of MNS’s revenues have been from AT&T. However, Dave Cundiff, Executive Vice President of MSN, who joined MasTec five years ago after retiring as AT&T’s construction and engineering vice president for 28 years to head the wireless side, said, “I’ve been a fan, quite frankly [of Nexius], when I was on the AT&T side. I saw how well the leadership and everybody performed and delivered.”

He said he wanted to solidify the AT&T space “because that’s obviously our bread and butter, and that’s a key part of what we do. It’s in our DNA, but also leverage that to really drive the next industry. So whether that’s RF, growing that more, whether it’s EVs, whether it’s a ton of items, that’s really the construction side,” said Cundiff.

Since MNS is already entrenched with crews for fiber optic installations, which appears to be NTIA’s preferred stitching to close the digital divide with over $42 billion available from the Broadband Access and Employment Program’s (BEAD) Notice of Funding Opportunity (NOFO) to deploy broadband in America where it is not located, the company is expected to see increased opportunities and earnings.


Wireless Estimator also reached out to T-Mobile and Novelus for comment. They did not respond.