Threat List & Real-World Breaches

Our mission is to help your organization protect your network and data from threats in ways that no other security system can so that you can focus on with your mission. Take a look at the below examples that highlight where we shine and other systems and processes fall short.

Layer 1

Layer 1 reasons to monitor everything that enters and exits your network with a Layer 1+ Forensic Edge Guard.

If you thought physical layer threats such as fiber taps or protocol exploitation were fiction, think again. Not only have taps occurred numerous times in the past, but they’re cheaper and easier than ever. With the potential payoffs increasing and adversary risk tolerances rising, malicious actors are no longer afraid to do whatever it takes to achieve their objectives, and this approach is no exception.

Separately, layer 1 optical overhead protocols (OTN, SDH, SONET) and Ethernet’s often forgotten layer 1 component, the Physical Coding Sublayer (PCS), present their own set of vulnerabilities that have gone entirely unrecognized for decades. With covert comms channel possibilities and terrifyingly stealthy computer network attack (CNA) vectors in the mix, we’ve made it our mission to bring these threats to light and help defend against them.

While traditional edge appliances are focused on the higher layers, missing indicators of these threats altogether, Forensic Edge Guards like L1FEguard remain vigilant, detecting threats that everything else ignores.

But you don’t have to take our word for it (though we’re certainly solid subject matter experts in this field), here are some real-world anecdotes and resources that should help drive the points home.

Previous Next

Data Interception Breach

From a Deloitte report in 2017: In 2000, several main trunk lines of Deutsche Telekom at Frankfurt Airport were reportedly breached, allowing data interception. Dutch and German police were victim to espionage via fiber tapping along with pharmaceutical companies in England and France. In all reality, there have been many more victims, but it’s hard to know when no one is looking…and those that find things often don’t disclose what they don’t have to.

View Deloitte Report

Fiber Eavesdropping

The Wolf Report – March 2003 “Security forces in the US discovered an illegally installed fiber eavesdropping device in Verizon’s optical network. It was placed at a mutual fund company…shortly before the release of their quarterly numbers. Information that could have been worth millions.

View Wolf Report

Optical Transport Protocol Vulnerabilities

Optical transport protocols, like all protocols, are not perfect. OTN, SDH, and SONET contain a variety of vulnerabilities that we’ve highlighted in a recent newsletter, which can be found here:

Link to newsletter1 that I haven’t written yet.

Optical Tapping

Reported in the Wall Street Journal (March 2008), roughly 4.2 million credit card details from Hannaford, a supermarket business, were stolen via optical tapping methods.

View Wall Street Journal

Ethernet Exploit

Ethernet is often thought of as a layer 2 protocol as its layer 1 component (Physical Coding Sublayer – PCS) is easy to forget…and absolutely is by every other security appliance out there. However, creative hackers find ways to exploit obscurities that others ignore. In fact, this is where they thrive…

Link to newsletter2 that I haven’t written yet.

Fiber Path Tapping

TorGuard put a great write-up together that speaks to the ease of tapping your fiber paths, along with referencing some of the disclosed real-world instances in which this has happened to victims.

View TorGuard Article

Black Hat Hacker Kevin Mitnick

World renowned black hat hacker, Kevin Mitnick, demonstrates how easy it is to tap into your fiber comms…in under 5 minutes…over a decade ago (2015)!!!!

Watch Kevin Mitnick’s Video

BONUS: Stay tuned for our Layer 1 protocol threat demo at Black Hat 2026 that will give you nightmares.

Layer 2

Layer 2 reasons to monitor everything that enters and exits your network with a Layer 1+ Forensic Edge Guard.

Threats at the Data Link Layer are taken a bit more seriously, but many still fly under the radar entirely, facilitating initial access and lateral movement for malicious actors in spite of the standard preventative measures that are currently practiced by security teams and network engineers. This is likely due to a number of dangerous misconceptions that are held regarding layer 2 protocols, such as:

Layer 2 protocols are too low-level for exploitation.
Layer 2 threats only exist internal to a network.
Layer 2 attacks are outdated and rare.
Firewalls and Intrusion Detection/Prevention Systems cover layer 2 threats.
Layer 2 threats don’t scale to geographically separated networks.

Unfortunately, this is exactly what adversaries want us to believe. Their jobs get easier while unsuspecting organizations are left wondering how and when they were so thoroughly breached. Accidental misconfigurations, insider assistance, slack 3^rd party partner security, and more all become their tools and your disadvantage (as highlighted here).

Mahlet is here to reconcile these misconceptions and address these gaps with the latest addition to the suite of tools that the good guys have at their disposal to fend off the bad guys – Forensic Edge Guards like L1FEguard monitor activity that no one else sees so that you can take action to defend your assets.

Previous Next

Ethernet Attack Method - EtherOops

Security researchers discovered an Ethernet attack method, referred to as EtherOops, that can bypass perimeter security devices like firewalls and NATs allowing attackers to penetrate networks from the internet or move laterally between network segments. Taking this same capability one step further, if malicious actors are in a position to inject their own malformed frames into the data stream, they can own your network repeatedly with little effort.

View Article

5 Zero Day Vulnerabilities

Cisco Discovery Protocol weaknesses led to a suite of 5 vulnerabilities (CDPwn) that could devastate networks through a variety of options presented to would-be attackers. Examples include:

Breaking of network segmentation
Data exfiltration of corporate network traffic traversing through an organization’s switches and routers
Gaining access to additional devices by leveraging man-in-the-middle attacks by intercepting and altering traffic on the corporate switch
Data exfiltration of sensitive information such as phone calls from from devices like IP phones and video feeds from IP cameras

View Armis Article and Deepwatch Article

VLAN Hopping

Think VLAN hopping is dead? Hackers would love that. The truth is that unintentional misconfigurations and intentional insider threat activity are the cause of substantial factor (~74% in 2023) in initial access, lateral movement, data exfiltration, and persistence within organization’s networks. These will never go away, and neither will associated layer 2 threats, which is why we need to actively watch for them.

View More on VLAN Hopping

MPLS Label Spoofing

MPLS label spoofing can be exploited for both lateral movement (pivoting within a network) and segmentation breaking, bypassing network isolation, posing significant risks to networks, especially those that are geographically separated.

View Security Implications and Mitigation Strategies in MPLS Networks Research

View Security Challenges and Solutions in MPLS L2VPN Pseudowire Deployments Research

PCspooF Exploits Weaknesses

PCspooF exploits weaknesses in a subset of ethernet networks, called Time-Triggered Ethernet (TTE), which rely heavily on precise signal timing and are found in critical sectors such as aerospace, oil & gas, transportation, and power. Electromagnetic interference is one option. Injection of crafted malicious frames is the doomsday scenario…

View Article

Layer 3

Layer 3+ reasons to monitor everything that enters and exits your network with a Layer 1+ Forensic Edge Guard.

It’s a harsh reality, but your current edge defenses are just not enough. Don’t get us wrong, it’s important to maintain a firewall, DMZ, strong routing rules, etc. A network without a boundary is not your network, it’s anyone else’s who cares to take control. However, these counter measures only do so much on their own. They don’t inspect everything, and they don’t always know what belongs and what doesn’t, especially when they themselves have been compromised. Edge firewalls and boundary routers get hit routinely by known vulnerabilities and zero-days, and backdoors are always a concern with the supply chain realities of the 21^st century.

So, the question is, who protects the device that was supposed to be protecting everything else???

For many decades, there hasn’t been a great answer. Now there is. This is where Forensic Edge Guards like L1FEguard THRIVE! L1FEguard sees everything entering and exiting your network or traversing a long-haul fiber trunk between distant locations within your network. It doesn’t just watch for traffic that doesn’t belong, it captures raw snapshots for deep analysis to gain a full understanding of what’s happening in your network.

There are far too many real-world examples and CVEs to list here, so we’ll point you to a 2024 threat report that covers the overarching concept really well and then highlight a number of important examples from the real world.

Darktrace 2024 Threat Report – Edge Device Vulnerabilities Major Percentage of Initial Access

“The most significant campaigns observed in 2024 involved the ongoing exploitation of zero-day and n-day vulnerabilities in edge and perimeter network technologies. This widespread exploitation across the threat landscape was consistent with Darktrace’s observations throughout the year.”

Previous Next

Backdoor Attack: J-Magic

Backdoors are scary to think about, but they’re even scarier when they’re real…and being observed in the wild. Here’s a recent example of Juniper routers becoming victim to a backdoor called “J-Magic” which analysts believe had been active for at least two years prior to discovery. Ouch!

View Article

Vulnerability in GlobalProtect

Edge firewalls are attacked ALL THE TIME either through novel techniques like the one mentioned in this link (zero-days), or known exploits that have already been disclosed and even fixed. It turns out, when vendors inform the public that their systems have known vulnerabilities, they’re also informing the bad guys…This information can be used to hit your system before your team has time to patch it, and then persist within your network even afterwards by the time you do.

View Security Advisory

2025 Data Breach Investigation Report

The percentage of edge devices and VPNs as a target on our exploitation of vulnerabilities action was 22%, and it grew almost eight-fold from the 3% found in last year’s report. Organizations worked very hard to patch those edge device vulnerabilities, but our analysis showed only about 54% of those were fully remediated throughout the year, and it took a median of 32 days to accomplish.

View Report

Vulnerability Exploits Triple

Targeting known vulnerabilities (CVEs and KEVs), widely available on public websites to anyone who cares to look, is not a new approach to initial access or expanding a foothold within a network that’s already been breached. And that’s unlikely to change.

View Article

Public-Facing Application Exploits

Internet-facing systems are always susceptible to attack, and once hackers have a foothold into these systems, it’s just a short hop to your internal network.

View Article

Threat List & Real-World Breaches

Layer 1

But you don’t have to take our word for it (though we’re certainly solid subject matter experts in this field), here are some real-world anecdotes and resources that should help drive the points home.

Data Interception Breach

Fiber Eavesdropping

Optical Transport Protocol Vulnerabilities

Optical Tapping

Ethernet Exploit

Fiber Path Tapping

Black Hat Hacker Kevin Mitnick

BONUS: Stay tuned for our Layer 1 protocol threat demo at Black Hat 2026 that will give you nightmares.

Layer 2

Ethernet Attack Method - EtherOops

5 Zero Day Vulnerabilities

VLAN Hopping

MPLS Label Spoofing

PCspooF Exploits Weaknesses

Layer 3

So, the question is, who protects the device that was supposed to be protecting everything else???

“The most significant campaigns observed in 2024 involved the ongoing exploitation of zero-day and n-day vulnerabilities in edge and perimeter network technologies. This widespread exploitation across the threat landscape was consistent with Darktrace’s observations throughout the year.”

Backdoor Attack: J-Magic

Vulnerability in GlobalProtect

2025 Data Breach Investigation Report

Vulnerability Exploits Triple

Public-Facing Application Exploits

Company

Connect