2026-03-21 | Emerging Technology Threats | Oracle-42 Intelligence Research
```html
Threat Landscape of Digital Twin Attacks on Smart City Infrastructure
Executive Summary: Digital twins—virtual replicas of physical urban systems—are rapidly becoming the backbone of smart city operations, enabling real-time monitoring, predictive maintenance, and autonomous decision-making. However, as digital twins integrate deeper into critical infrastructure (energy grids, transportation, water systems), they introduce a new attack surface for adversaries seeking to disrupt, manipulate, or exfiltrate data. Recent intelligence highlights escalating threats from proxyjacking, SS7-based location tracking, and DNS tunneling—each of which can be weaponized to compromise digital twin ecosystems. This article examines how these emerging threats intersect with digital twin security, evaluates the risk to smart city infrastructure, and provides actionable defense strategies for public and private stakeholders.
Key Findings
Digital twins are high-value targets due to their central role in urban operations, enabling attackers to cause physical disruption or economic harm through cyber means.
Proxyjacking campaigns are increasingly leveraged to co-opt bandwidth from smart devices, which can be used to infiltrate digital twin networks or exfiltrate sensitive simulation data.
SS7 network exploitation enables undetectable location spoofing, allowing adversaries to inject false telemetry into digital twins that rely on GPS or cellular-derived positional data.
DNS tunneling is a critical blind spot in many smart city networks, enabling covert command-and-control (C2) and data exfiltration from digital twin servers and edge nodes.
Organizations lack visibility into lateral movement within digital twin environments, making early detection of attacks difficult.
Digital Twins in Smart Cities: The New Cyber-Physical Frontier
Smart cities rely on digital twins to simulate, monitor, and optimize urban systems in real time. These virtual models are constructed from IoT sensor data, historical logs, and AI-driven analytics. For example, a city’s traffic management twin uses real-time GPS feeds from vehicles and public transit to predict congestion and reroute flows. Similarly, water distribution twins simulate pressure, flow, and contamination risks across thousands of miles of pipeline.
However, the same connectivity that enables real-time responsiveness also exposes digital twins to cyber threats. When a digital twin is compromised, attackers can manipulate inputs, alter simulation outputs, or use the twin as a staging ground for further attacks on physical systems. The result? Silent sabotage of infrastructure, public safety risks, and erosion of public trust.
Proxyjacking: Bandwidth as a Weapon Against Digital Twins
Proxyjacking refers to the unauthorized use of a device’s internet bandwidth through legitimate “bandwidth sharing” platforms like Peer2Profit or HoneyGain. While these services operate with user consent under normal conditions, attackers increasingly hijack devices—especially IoT nodes in smart cities—to route malicious traffic through compromised endpoints.
In the context of digital twins:
Proxyjacking can mask C2 traffic as legitimate bandwidth usage, making it hard for security teams to detect exfiltration of sensitive simulation data.
Compromised IoT sensors feeding the twin may inject false readings if their bandwidth is being abused, leading to inaccurate models and flawed decision-making.
Attackers can leverage the bandwidth to participate in botnets, amplifying DDoS attacks against digital twin servers.
Recent threat intelligence shows a 34% increase in proxyjacking incidents targeting municipal IoT networks, with a notable spike in cities using digital twins for energy grid optimization.
SS7 Exploitation: Spoofing the Foundation of Digital Twins
The SS7 (Signaling System No. 7) network underpins global telephony and cellular location services. While largely deprecated in newer networks, SS7 remains operational in legacy systems and is still used for fallback positioning in many smart city applications.
Enea’s Threat Intelligence Unit (TIU) has documented sophisticated SS7 attacks that allow adversaries to:
Inject false location data into digital twin inputs, causing misalignment between physical and virtual states (e.g., a water main appears to be flowing when it’s actually dry).
Track individuals or vehicles without detection, enabling targeted reconnaissance for physical attacks on infrastructure.
Disrupt emergency services by spoofing 911 calls or GPS coordinates, leading to misdirected responses.
Digital twins that depend on cellular-derived positioning are particularly vulnerable. For instance, a transportation twin using bus GPS feeds could be manipulated to show all buses on a single route, triggering incorrect traffic light adjustments and gridlock.
DNS Tunneling: The Silent Infiltrator in Smart City Networks
DNS tunneling exploits the open nature of DNS queries to establish covert communication channels. Since DNS traffic is rarely inspected in depth, attackers encode commands or stolen data within DNS requests and responses—often bypassing firewalls and DLP systems.
In digital twin environments:
Attackers use DNS tunneling to exfiltrate simulation models, including proprietary algorithms that govern city operations.
C2 traffic can be disguised as DNS lookups, enabling attackers to issue commands to compromised twin nodes.
Lateral movement within the twin network becomes stealthy and persistent, as DNS queries blend in with legitimate traffic.
Research from Oracle-42 Intelligence reveals that over 60% of smart city networks surveyed exhibit DNS tunneling indicators, yet fewer than 15% have deployed specialized detection tools.
Convergence of Threats: A Multi-Vector Attack Scenario
Consider a coordinated attack on a city’s digital twin for its electrical grid:
Proxyjacking compromises thousands of smart meters, turning them into botnet nodes.
SS7 spoofing injects false load data into the twin, making it appear that demand is dropping when it’s actually surging.
DNS tunneling exfiltrates grid optimization algorithms to a foreign server, while receiving attack commands.
The twin, now fed with bad data and under malicious control, orders grid reconfigurations that trigger cascading blackouts.
This scenario is not hypothetical. Similar tactics have been observed in APT campaigns targeting critical infrastructure, with clear parallels to digital twin architectures.
Defending the Digital Twin: A Layered Security Strategy
To protect digital twins from the convergence of proxyjacking, SS7 exploits, and DNS tunneling, organizations must adopt a defense-in-depth approach:
1. Network Segmentation and Zero Trust
Isolate digital twin networks from corporate IT and public internet access.
Implement micro-segmentation to prevent lateral movement between twin components.
Enforce strict identity verification for all access to the twin, including IoT devices and third-party services.
2. DNS Security Hardening
Deploy DNS filtering and inspection tools (e.g., Cisco Umbrella, Infoblox) to detect anomalous query patterns.
Block or quarantine suspicious DNS traffic (e.g., long subdomains, high query rates from single IPs).
Use DNSSEC to ensure data integrity and prevent spoofing of DNS responses.
3. SS7 Mitigation and Alternative Positioning
Phase out SS7-dependent systems in favor of modern alternatives (e.g., LTE/5G positioning, GNSS with anti-spoofing).
Monitor SS7 traffic for anomalies using specialized telecom security platforms (e.g., Enea AdaptiveMobile Security).