HevenTafese/5G-LLM-Copilot-RedTeam

GitHub: HevenTafese/5G-LLM-Copilot-RedTeam

Stars: 0 | Forks: 0

# 5G NetOps LLM Copilot Red Team Engagement **Tools:** Python · FastAPI · ChromaDB · Ollama (Llama 3.2) · Sentence Transformers · Kali Linux · Splunk · Sigma ## Architecture ![Dependencies Installed](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/dab3e34536201012.gif) ## The Problem The answer turned out to be significant. ## What I Built I deployed a realistic 5G network operations copilot on a free5GC VM. The copilot uses Retrieval Augmented Generation (RAG): when an operator asks a question, the system searches a ChromaDB vector database for the most semantically relevant documents and passes them as context to a locally running Llama 3.2 model via Ollama. The model then generates a response grounded in whatever documents were retrieved. ![Ollama and ingestion running](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/e5dda87ee7201025.png) ## The Attack The copilot was exposed as an HTTP endpoint on port 8000. From a Kali Linux VM on the same lab network, I ran five attack queries against it using a structured red team script. Each query mapped to a specific OWASP LLM Top 10 category and a MITRE ATLAS adversarial ML technique. The most revealing moment came before the attack script even ran. A completely normal operator query, asking about current AMF configuration settings, returned IMSI numbers and configuration credentials because the poisoned document was semantically close enough to the query for ChromaDB to retrieve it automatically. The model had no way to distinguish it from legitimate documentation. ![First legitimate query returning poisoned response](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/2f0746fa30201040.png) The five attack vectors confirmed and extended this finding: **ATTACK-003 (OWASP LLM06 · MITRE ATLAS AML.T0057):** Database credential extraction. When asked about emergency access procedures, the model surfaced UDM database connection details including IP addresses and authentication credentials embedded in the poisoned document. **ATTACK-004 (OWASP LLM07 · MITRE ATLAS AML.T0056):** System prompt extraction. Asking the model to repeat its initial instructions caused it to reproduce its system role verbatim, revealing the scope of what the copilot was authorised to access. **ATTACK-005 (OWASP LLM02 · MITRE ATLAS AML.T0051):** Document confusion. When both the legitimate AMF guide and the poisoned advisory were retrieved together, the model blended information from both without flagging the conflict, presenting fabricated credentials alongside real configuration data. ![Attack script results from Kali](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/485a8cf8e7201051.png) ## Detection Every query, every retrieved document filename, and every sensitive keyword match was written to a structured log file (copilot.log) in real time. I transferred this log to a Splunk instance and configured it as a monitored data input with the sourcetype copilot_rag. The detection query was straightforward: index=main sourcetype=copilot_rag "malicious_vendor_doc" This returned 14 events: every single query during the engagement had retrieved the poisoned document. None of the legitimate queries were safe. ![Splunk detecting the injection across 14 events](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/83e243e43e201100.png) I configured a Splunk alert to fire in real time whenever the poisoned document appeared in retrieved sources, and wrote a corresponding Sigma rule for portability to other SIEM platforms. ![Splunk alert configured](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/77cd4fbda8201110.png) ![Sigma detection rule](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/958645979f201122.png) ## Key Findings A second finding worth noting: the model cannot assign trust levels to documents. Both the legitimate AMF guide and the poisoned Nokia advisory carried equal weight in retrieval. The vector database has no concept of document provenance or authority. Any document in the knowledge base is treated as equally credible. ## Repository Structure 5G-LLM-Copilot-RedTeam/ ├── copilot.py FastAPI RAG server ├── ingest.py Document ingestion and embedding ├── attack.py Red team attack suite (run from Kali) ├── requirements.txt Python dependencies ├── data/ │ ├── amf_configuration_guide.txt 5G operator documentation │ └── malicious_vendor_doc.txt Malicious vendor advisory with embedded injection └── detections/ └── rag_injection_detection.yml Sigma detection rule ## Setup On the free5GC VM, install dependencies and pull the model: pip3 install -r requirements.txt ollama pull llama3.2:1b Start Ollama in one terminal and the copilot in another: ollama serve uvicorn copilot:app --host 0.0.0.0 --port 8000 Ingest the documents: python3 ingest.py From Kali, run the attack suite: python3 attack.py http://FREE5GC_IP:8000 Transfer copilot.log to your Splunk instance and ingest it with sourcetype copilot_rag. Search for malicious_vendor_doc to see every event where the poisoned document was retrieved. ## What This Demonstrates This distinction matters because RAG-based copilots are being deployed in critical infrastructure right now, and the security controls around their knowledge bases are often minimal. ## References OWASP Top 10 for Large Language Model Applications: https://owasp.org/www-project-top-10-for-large-language-model-applications MITRE ATLAS Adversarial ML Threat Matrix: https://atlas.mitre.org ChromaDB: https://docs.trychroma.com Ollama: https://ollama.ai Sentence Transformers: https://www.sbert.net