In May 2025, a Reuters investigation revealed what many of us in security have long feared: Chinese-manufactured solar inverters—deployed across the U.S. power grid—contained embedded, unauthorized cellular radios. These radios enabled direct command-and-control, bypassing local networks entirely. They functioned as silent kill switches for critical infrastructure.
This isn’t theory. It’s verified. It’s happening now.
At Léargas, we built our platform with threats like this in mind—not just phishing and malware, but deeply embedded, supply-chain-driven risks that evade traditional defenses. While you’re watching logs, we’re watching everything else.
Understanding the Threat: What Makes This Different
Unlike malware that needs phishing emails or vulnerabilities to exploit, these radios are hardware implants. They don’t rely on your firewall. They don’t care about your EDR. They connect directly to cellular towers over GSM/LTE bands—without touching your internal network.
So how do you see what never hits the wire?
That’s where Léargas, Zeek, and Suricata come in.
How Léargas Protects Against LTE-Backhauled Threats
Let’s be clear: Zeek and Suricata can’t see LTE traffic that bypasses your infrastructure. If a device is exfiltrating over 4G and doesn’t route through your switches or taps, there’s no Ethernet-based telemetry to inspect.
But that doesn’t mean the attack is invisible.
1. Behavioral Detection and Anomaly Modeling
Zeek creates a rich behavioral profile of devices—how often they communicate, which protocols they use, and how predictable their behavior is.
Suricata inspects inline traffic for changes in packet size, frequency, or protocol misuse.
If a device that normally speaks Modbus TCP every 5 seconds suddenly goes silent—but still performs operational tasks—you’ve got a ghost.
2. East-West Silence as a Signal
If that device:
Stops generating DHCP renewals
Drops out of ARP tables
Ceases sending telemetry via your LAN
…but you still see its effects downstream (e.g., grid output changing, breakers opening), that’s a red flag. It may have shifted to its embedded LTE interface.
3. Integrated RF and SIM Correlation
Léargas integrates well with:
RF sensors like Pwnie Express or SDR platforms to detect rogue cellular activity in secure zones.
SIM telemetry from mobile operators to correlate unauthorized IMSIs or unexpected data spikes.
While not native to Zeek or Suricata, we bring these feeds into our XDR correlation engine to flag unseen paths of communication.
Protocol-Aware OT Monitoring
Léargas has deep support for ICS/SCADA protocols:
Modbus
OPC-UA
DNP3
IEC 60870-5-104
PROFINET
When devices start issuing strange write commands, initiate unusual polling behavior, or change their control parameters without local network observability, we detect it—and tie it to known behavioral baselines.
Deployment: Architected for Hybrid Visibility
Recommended Integration
Zeek and Suricata sensors at core OT switches or between inverter VLANs and control systems.
Out-of-band collection via mirrored ports ensures passive capture, avoiding operational disruption.
Léargas XDR centrally aggregates logs, alerts, behavioral deviations, and SIM/RF intel for cross-layer correlation.
Even when the LTE modem hides in plain sight, Léargas sees the shadows it casts.
Real-World Detection Strategy
✅ What You CAN See:
| Signal | Tool | Detection Example |
|---|---|---|
| Loss of expected traffic | Zeek | Inverter stops sending Modbus data but still active |
| Protocol misuse | Suricata | OPC-UA write commands from read-only devices |
| RF activity in isolated zones | External (Bastille, SDR) | New cellular signal detected in controlled environment |
| SIM data/cell connections | MDM / Telco Integration | Unregistered SIM initiating LTE session |
Beyond Alerts: Strategic Correlation
Léargas enriches this data with:
Dark Web intelligence (e.g., references to compromised solar firmware)
Sentiment scoring across Telegram and TOR marketplaces
Historical anomaly detection, including prior firmware behavior baselines
Combined, this allows your SOC to respond before the device is fully weaponized.
Conclusion: You Can’t Patch a SIM Card—But You Can Detect It
Covert LTE radios are invisible to traditional tooling—but not to Léargas.
We’re not waiting for kill switches to flip.
We’re watching for the moment a trusted device starts acting like it doesn’t belong.
That’s the power of Zeek, Suricata, and a behavioral XDR built for ICS and hybrid IT/OT defense.
