Hackers Breached A1 Telekom, Austria's largest ISP

Hackers breached A1 Telekom

• In June 2020, A1 Telekom disclosed that it was suffering a malware infection since November 2019. The infection was detected in December 2019, but it took five more months to detect and remove all of the hidden backdoor components, and to completely stop the intrusion.
• The intruders are thought to be a nation-state hacking group (possibly the Chinese APT group Gallium) with financial motivation. They penetrated the networks through web shells and managed to compromise some databases and ran some queries to get information about the company's internal network.
• These queries were very specific inquiries about the location, phone numbers, and other customer data related to some private customers of A1, and a massive amount of data was downloaded.

Gallium - A threat for the telecom sector

• In December 2019, Microsoft had issued a warning against this group, detailing its malware infrastructure that is based in China and Hong Kong.
• The group was most active between 2018 and mid-2019, targeting telecom providers by attacking their Active Directory. It aimed to steal information including personally identifiable information, financial records, geolocations, and more.
• The group mostly uses open-source network scanning tools like HTRAN, Mimikatz, NBTScan, Netcat, WinRAR, PsExec, and Windows Credential Editor, to avoid detection.
• They also compromise unpatched web services like WildFly/JBoss and then install malicious tools like BlackMould, China Chopper, Poison Ivy, and QuarkBandit.

Security recommendations