12 recent cyber-attacks on the telco sector

In this post we summarise recent cyber-attacks on providers of telecommunications services.

• SFR, Free, Bouygues, and Alphalink (France)
• AT&T (United States) 2024 metadata breach
• Frontier Communications (United States)
• AT&T (United States) Breached 2019; leaked 2024
• Edpnet (Belgium)
• Triacom, Misto TV, Linktelecom and KIM (Ukraine)
• Tangerine (Australia)
• Orange España (Spain)
• Bharat Sanchar Nigam Limited (India)
• Kyivstar (Ukraine)
• Mint Mobile (United States)
• Xfinity (United States)

What are the business risks of cyber-attacks on telecommunication service providers?

Cyber-attacks on telcos can have far reaching consequences. The nature of information held on customers can put their personal safety at risk if it’s breached. And outages can prevent connected, critical equipment and services from operating correctly.

Whilst not the result of a cyber attack, the total Optus outage of 2023 in Australia resulted in several hundred 000 calls failing, highlighting the real-world consequences that can occur when telecommunications services fail. 000 in Australia is the equivalent to 911, 112, and 999 calls in other jurisdictions.

Data breaches and service failures undermine customer trust and tarnish reputations at a minimum, leading to loss of future customer revenue, on top of out of pocket recovery expenses. At worst they can result in loss of life.

Telecommunications providers who recently suffered cyber-attacks

SFR, Free, Bouygues, and Alphalink

Date: July 2024
Country: France
Consequence: Fixed and mobile service disruption, including internet

French telecom infrastructure was sabotaged, disrupting fixed and mobile services of several providers, including SFR, Free, Bouygues, and Alphalink.

The attack, which occurred across at least six geographic areas, involved cutting long-distance cables, affecting service quality and causing slowdowns. The cables were located in places “that are little known to the general public and that required precise information”. Network traffic was rerouted, however, sometimes with a degradation in quality of service.

The incident coincided with the Paris 2024 Olympics.

Read more: theregister.com and techradar.com.

AT&T

Date: April 2024
Country: United States
Consequence: Leaked metadata on 109 million customers

A breach of AT&T’s Snowflake cloud workspace resulted in the theft of call and text metadata on 109 million customers. The stolen data included records of calls and texts, including the phone numbers involved, and in some cases cell tower identification numbers, potentially allowing geolocation of customers.

The breach occurred between 14 April and 25 April 2024, and led to the exfiltration of records from 1 May to 31 October 2022, and the day of 2 January 2023.

The attack affected AT&T wireless customers and those using mobile virtual network operators on AT&T’s network.

AT&T reportedly paid a $370,000 ransom for deletion of stolen data. The FBI arrested at least one person in connection with the theft.

Read more: therecord.media and darkreading.com.

Frontier Communications

Date: April 2024
Country: United States
Consequence: Support systems taken offline, data breach

Frontier Communications’ internal support systems and the company website were taken offline, as part of their response and containment measures when a cyber attack was detected. An investigation determined the attacker gained access to personally identifiable information.

Read more: therecord.media and darkreading.com.

AT&T

Date: 2019 data breached; 2024 data leaked
Country: United States
Consequences: Leaked data on 73 million people

AT&T confirmed personal information and data from 73 million accounts was leaked onto the dark web. Although encrypted, a researcher found that only about 10,000 unique passcodes were used across the accounts, correlating to each permutation of the four digits 0000-9999. Determination of an account’s passcode could be made through fairly unsophisticated means. A mass reset of account passcodes was triggered by AT&T.

Read more at techcrunch.com and bleepingcomputer.com.

Edpnet

Date: March 2024
Country: Belgium
Consequences: Loss of customer access to account management

Customer account access was not possible as a result of hackers penetrating administrative systems, Edpnet confirmed. It took the company around 60 hours to identify the cause of technical issues as a cyber attack.

Read more at techzine.eu.

Triacom, Misto TV, Linktelecom and KIM

Date: March 2024
Country: Ukraine
Consequences: Loss of service and operational disruption for over a week

The same hacking group suspected of the 2023 cyber attack on Ukraine’s largest telecommunication provider, Kyivstar, was likely behind attacks on four small Ukrainian internet providers. Operations were disrupted for more than a week. Impacted customers included government agencies and parts of the Ukrainian armed forces.

Read more at therecord.media.

Tangerine

Date: February 2024
Country: Australia
Consequences: Data breach

The personal details of 232,000 customers were stolen by a hacker in February 2024. The breach was believed to have been the result of a single [unauthorised] user gaining access to an old customer database.

Read more at Canstar Blue.

Orange España

Date: January 2024
Country: Spain
Consequence: Mobile browsing service degradation

Mobile browsing services provided by major Spanish carrier, Orange España, were disrupted for around three hours. An approximately 50% drop in usual traffic observed by Cloudflare.

A malicious actor was able to access and tamper with critical network configuration systems, in this case those that require the services of a third-party. The modifications they made disrupted the normal routing of internet traffic, causing the disruption. Normal service was resumed once the issue was identified and the third-party provider was able to restore account access to the rightful owner.

The attack was made possible as a result of an Orange employee’s computer getting infected by info-stealing malware in September 2023. The corporate login to the third-party system that was saved on the system was stolen.

Multi Factor Authentication (MFA) was not enabled on the compromised account, which made it easy for the attacker to gain access to the third-party system.

Further reading with more technical detail available at The Record.

Bharat Sanchar Nigam Limited

Date: December 2023
Country: India
Consequences: Data breach

State-owned telecom operator Bharat Sanchar Nigam Limited (BSNL) allegedly suffered a data breach of 2.9 million lines of data. The organisation has not publicly confirmed this.

A 32,000 line sample of the dataset published on the dark web included email addresses, billing details, contact numbers, mobile outage records, network details and order information.

Incidents like these compromise the privacy of users and place them at risk of identify theft, financial fraud and more convincing phishing attacks.

Further reading at The Economic Times.

Kyivstar

Date: December 2023
Country: Ukraine
Consequences: Loss of mobile services for 48 hours

Thousands of virtual servers and PCs were wiped during the attack, completely destroying the core of the operator.

Over 24 million customers were left without mobile services for several days from 12 December 2023. The loss of mobile service also affected other critical services, including air raid sirens, some banking services, ATMs, and point-of-sale terminals.

It is understood that the malicious actors who carried out the attack would have had access to the Kyivstar systems since at least May 2023. An assessment found that prior to wiping the systems, the attackers would have been able to steal personal information, identify locations of phones and intercept SMS messages.

Whilst the war between Russia and Ukraine provides the context for this attack, the technique of sabotaging and wiping out core systems could be applied in other attacks given the right levels of access.

Further insight into this attack is available in an exclusive Reuters interview with Illia Vitiuk, head of the Security Service of Ukraine’s cyber security department.

Mint Mobile

Date: December 2023
Country: United States
Consequences: Data breach

Personal customer information was revealed in a data breach of the mobile service provider. Leaked data included names, phone numbers, email addresses, SIM and International Mobile Equipment Identity (IMEI) numbers, and description of service plan.

The exposed data is enough for SIM swap attacks to be performed, where a phone number is “ported” to another device, typically that of an attacker. In these cases the devices can then be used for password resets and receiving one-time passcodes sent via SMS.

Further reading on the incident is available at BleepingComputer.

Xfinity

Date: October 2023
Country: United States
Consequences: Data breach

The data of around 36 million people was accessed by malicious actors after they exploited a publicly known vulnerability in Citrix technology used by Xfinity.

Xfinity, a cable TV and internet service provider, confirmed that breached information included usernames and hashed passwords; for some customers, other information was also included, such as names, contact information, the last four digits of social security numbers, dates of birth and/or secret questions and answers.

Citrix had announced the vulnerability on 10 October 2023, along with a patch to fix the issue. Xfinity patched their systems around two weeks later. However, they later identified that someone had gained unauthorised access to some of their internal systems before they applied the fix, and information had been breached.

This attack underscores the importance of prioritising and promptly patching vulnerable systems, particularly when details of vulnerabilities have been published.

Further reading and commentary is available via TechCrunch.