Telecom network providers often own and operate critical infrastructure related to sensitive communications which makes them a big target for cyberespionage attacks. Recently, Austria's largest ISP was targeted by such an espionage attack.
Hackers breached A1 Telekom
A1 Telekom recently provided details about a six-month-long espionage attack on its infrastructure.
- In June 2020, A1 Telekom disclosed that it was suffering a malware infection since November 2019. The infection was detected in December 2019, but it took five more months to detect and remove all of the hidden backdoor components, and to completely stop the intrusion.
- The intruders are thought to be a nation-state hacking group (possibly the Chinese APT group Gallium) with financial motivation. They penetrated the networks through web shells and managed to compromise some databases and ran some queries to get information about the company's internal network.
- These queries were very specific inquiries about the location, phone numbers, and other customer data related to some private customers of A1, and a massive amount of data was downloaded.
Gallium - A threat for the telecom sector
Gallium threat group is already known for targeting organizations in the telecommunication sector across the globe and is believed to be active since 2012.
- In December 2019, Microsoft had issued a warning against this group, detailing its malware infrastructure that is based in China and Hong Kong.
- The group was most active between 2018 and mid-2019, targeting telecom providers by attacking their Active Directory. It aimed to steal information including personally identifiable information, financial records, geolocations, and more.
- The group mostly uses open-source network scanning tools like HTRAN, Mimikatz, NBTScan, Netcat, WinRAR, PsExec, and Windows Credential Editor, to avoid detection.
- They also compromise unpatched web services like WildFly/JBoss and then install malicious tools like BlackMould, China Chopper, Poison Ivy, and QuarkBandit.
To prevent attacks from such threat actors, organizations should ensure regular patching of their servers, applications, and endpoints, and maintain audit logs to detect any anomalous activity. It is also recommended to run web services with the minimum required operating system permissions only. Also, using behavioral analysis-based detection could help identify certain threat actors with known tactics, techniques, and procedures (TTPs).