New CyberPeople report discloses increase in cyberattacks targeting telecommunication companies

Skills-based cybersecurity platform CyberPeople disclosed that there has been an increase in the number of cyberattacks aimed specifically at companies that provide telecommunication services. By keeping confidential information about all their customers, telecommunications companies have emerged as tempting targets for cybercriminals or insiders trying to trick customers and steal money. While ransomware remained a serious threat to organizations, in 2023, cyber threat actors focused on data theft and destruction, system disruption, and espionage.

“Controlling the vast majority of countries’ complex and critical infrastructure, used for data sharing, and storing vast amounts of sensitive data, the impact of a successful cyberattack on the telecommunications sector can be significant and sometimes catastrophic,” CyberPeople identified in its latest report titled ‘The major cyberattacks on the telecommunications sector in 2023.’

Authors Inna Serdiuk and Olga Nasibullina provide a comprehensive account of the cyberattacks on Kyivstar, Orange España, ‘Sea Turtle’ campaigns, and T-Mobile US, along with the available information on these incidents.

The report identified that on Dec. 12, 2023, at 5:26 am, ‘Kyivstar’s’ specialists identified unusual behavior in their computer network. “At 6:30 am, ‘Kyivstar’ employees realized that the company was under a powerful hacker attack. The target of the attack was the core network, responsible for processing and routing traffic between users and services.”

It added that at 8:04 am, ‘Kyivstar’ publicly announced the technical failure in its operations and warned of possible service limitations for its subscribers. 

Ilya Vityuk, the head of the Cyber Security Department of the Security Service of Ukraine (SBU), reported that the attack caused ‘catastrophic’ destruction and aimed to deliver a psychological blow while obtaining intelligence information. 

Citing Vityuk, the CyberPeople report said that the attack destroyed ‘almost everything,’ including thousands of virtual servers and PCs, “describing it as possibly the first instance of a destructive cyberattack that ‘completely annihilated the core of the telecommunications operator.’”

The report also highlighted that the Telegram channel ‘Sontsepok’ published four screenshots intended to confirm their involvement in the attack on Kyivstar. 

Victor Zhora, former deputy head of the Ukrainian State Special Communications Service, noted that “If the published screenshots are genuine, then the enemy was present in the network for quite a long time, thoroughly studied the topology and infrastructure of the services.”

He added that the Telegram channel ‘Sontsepok’ is a ‘dumping ground’ for the GRU, where groups like APT28 and Sandworm deposit the results of their activities.

Vityuk confirmed that there is a high likelihood that the Sandworm hacking group, a unit of Russian military intelligence, was behind it. “Sandworm has previously carried out cyberattacks on Ukrainian targets, including telecommunication operators and internet service providers.” 

He also revealed that SBU investigators are still working to determine how the breach of Kyivstar occurred and what type of malware was used for the intrusion. He added that it could have been phishing, assistance from within, or something else. 

The CyberPeople report said that cybersecurity experts speculate that even if it was an inside job, an insider assisting the hackers did not have a high level of access within the company. This is because the hackers utilized software designed for stealing password hashes. Samples of this malicious software have been collected and are undergoing analysis, Vityuk added.

The report highlights the significant impact of the cyberattack, leading to extensive disruption and prompting ‘Kyivstar’ to take legal action against the interference in their network operations. The estimated damages are reported to be in the billions of hryvnias.

The CyberPeople report said that one of the largest mobile operators in Spain has officially announced the restoration of its services after a cyberattack that caused a failure in the company’s internet infrastructure.

“Through its social media account, on January 3, 2024, Orange España spoke about the incident that occurred and its impact on customers,” the report detailed. “There was no official comment on whether the internet outage directly affected the Madrid-based company’s mobile service, but the outage lasted about three hours in total.”

An attacker made some changes to the RIPE Orange España account, causing Border Gateway Protocol (BGP) routing to fail and significant traffic loss. RIPE is a Regional Internet Registry (RIR) that oversees the allocation and registration of IP addresses and autonomous system (AS) numbers in Europe, Central Asia, Russia, and West Asia.  

A hacker on X with a newly created account called ‘Ms_Snow_OwO’ posted screenshots showing how they hacked the Orange RIPE NCC (Network Coordination Center) account using the password ‘ripeadmin.’

According to the CyberPeople report, the attacker created an invalid Resource Public Key Infrastructure (RPKI) configuration for Orange España. RPKI is supposed to help secure BGP routing, but in this incident, the hacker used it to ensure that switching to an AS number would cause problems. “This resulted in a performance issue on the Orange España network between 14:45 and 16:15 UTC, which can be seen in the Cloudflare traffic graph for AS12479.”

The report added that the worst part of the incident is that ‘Snow’s’ motives are still unknown. Given the way the attacker behaved when changing the global routing table, the researchers believe they were simply experimenting with access to see what could be done. 

The CyberPeople report identified that during 2023, an Advanced Persistent Threat (APT) actor tracked as Sea Turtle (aliases: Cosmic Wolf, Marbled Dust, Silicon, and Teal Kurma, UNC1326) conducted successful espionage campaigns targeting government, telecommunications, media, and non-governmental organizations, as well as ISPs and IT service providers in the Netherlands.

“Sea Turtle was first identified by Cisco Talos in April 2019 and is believed to be sponsored by the Turkish government,” the report disclosed. “Their primary attack method involves DNS hijacking, redirecting targets attempting to request a specific domain to a server controlled by the threat. This server is capable of collecting victims’ credentials.”

According to the Talos, Sea Turtle poses a more serious threat than DNS espionage due to the actor’s methodology of targeting various registrars and DNS registries. Microsoft also reported that the adversary is collecting intelligence to serve Turkey’s interests, focusing on countries such as Armenia, Cyprus, Greece, Iraq, and Syria. 

The Netherlands security firm Hunt & Hackett analyzed the campaigns and found that the infrastructure of the targets was vulnerable to supply chain and island-hopping attacks. Sea Turtle used these flaws to collect politically motivated information, including personal data on minority groups and potential dissidents.

According to analysts, this APT is considered ‘moderate.’ Hackers mainly focus on exploiting available vulnerabilities to gain initial access to organizations.

The CyberPeople report recommends that to mitigate the risks associated with such attacks, organizations are encouraged to implement strong password policies, use two-factor authentication (2FA), limit the number of login attempts to reduce the likelihood of brute force attacks, monitor SSH traffic, and keep all systems and software up-to-date.

Over the past year, the CyberPeople report noted that T-Mobile US has faced several cyberattacks. “In early 2023, the company suffered the second most impactful cybersecurity incident in its lifetime, resulting in the data theft of approximately 37 million users. According to the content of the statement of T-Mobile US to the U.S. Securities and Exchange Commission (SEC), access to a limited set of customer account data was disclosed. However, the company claims that sensitive user data was not compromised by attackers.”

According to official information, the incident became known on Jan. 5, 2023. During the investigation, it was determined that the attackers had access from around Nov. 25, 2022, and the data was obtained through an enterprise application programming interface (API) without authorization. T-Mobile noted that the malicious activity was completely stopped within 24 hours of detection. However, the company later announced that this incident could cause significant losses. However, which ones exactly, official sources do not report. Second T-Mobile security breach.

Last April, T-Mobile disclosed a second data breach in which attackers had access to the information of 836 customers beginning in late February 2023, the CyberPeople report said. “Official T-Mobile sources reported that the volume of compromised information is very large and exposes affected individuals to further theft of confidential data and targeted phishing attacks. Between late February and March 2023, an attacker was found to have accessed restricted information from multiple T-Mobile accounts.”

Later, on Sept. 22, ‘vx-underground’ published a tweet about 90 GB of personal data of T-Mobile employees being stolen as a result of the data leak. This was linked to the April hack of Connectivity Source, a T-Mobile retailer. T-Mobile itself has denied wrongdoing and does not appear to have been directly implicated in the incident.

The CyberPeople report recommends strengthening defenses against cyber threats by tracking cyber incidents using SIEM (Security information and event management), IPS (Intrusion Prevention System), and EDR (Endpoint Detection and Response) systems; applying a strong password policy; introducing mandatory two-factor authentication (2FA) for all users; and limiting the number of authorization attempts in the systems. 

It also calls for monitoring SSH traffic; updating systems and software promptly; filling the database of indicators of compromise; and educating employees and customers on the rules of cyber hygiene, since, in practice, malicious actors, using social engineering, successfully manipulate users to obtain primary access.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.