A1 Telekom security breach in November 2019 led to malware infection. The attackers were able to remain in A1 Telekom network for almost half a year till May 22, 2020.
A1 Telekom Security Breach 2019-2020
On June 08, 2020 A1 Telekom, the largest Austrian internet service provider, admitted a security breach. From December 2019 till May 2020 it team of about 100 A1 Telekom IT specialists battled with malware operators, attempting to eliminate backdoors. According to the local security blogger Christian Haschek, the malware affected office network computers, but did not affect the entire A1 Telekom IT system, which consists of 15,000 PCs, more than 12,000 servers and several thousand applications. However, Haschek’s source insisted the attackers had gained access to more than 12,000 client systems which were all operated by A1.
“I am writing to you today because you seem to be a IT security related guy from Austria with a brain. I hope this assumption is correct, otherwise please disregard this message. I am writing concerning your local telecom company A1 Telekom.”Whistleblower “Libertas”
to cybersecurity researcher Christian Haschek
Just before Christmas 2019 the in-house A1-CERT found malware in the A1 Telekom office environment. This backdoor allowed intruders to penetrate A1 Tekelom IT systems. According to Haschek, A1 Telekom malware detection systems found several webshells spread around a variety of servers. At this point almost all internal servers were compromised. However, no spear phishing letters were found in relation to the data breach. Haschek’s source suspected that the attackers got in using a vulnerability of an unspecified Microsoft product.
A1 Telekom’s networks support financial transactions from banks, the local health network and the public radio, it was crucial to ensure the trouble-free operation of the critical infrastructure.
“Our first suspicion was that the attackers would implant malware into our systems, and then blackmail us. We therefore immediately checked whether our backup systems were working and removed them from the domain to be at least certain that we could fall back on them if we were blackmailed”Wolfgang Schwabl, Cyber Security Officer of A1-Telekom
The attackers compromised some databases and even ran database queries in order to learn the company’s internal network. A1 Telekom claims, customer data was not compromised. However, according to Haschek, the hackers made “very specific queries of location, phone numbers and other customer data for certain private A1 customers”.
In January 2020 A1 Telekom engaged external IT security experts. On May 22, 2020 A1 Telekom finally kicked the intruders out of their IT systems. A1 Telekom claim the intruders could not make their way to the systems because of the complexity of the internal network which is “by no means easy to understand for outsiders”.
A1 Telekom actually wanted to lock out the attacker earlier in March. However, due to the outbreak of COVID-19, the network operator had postponed the campaign by two months: “we as the critical infrastructure manager decided to postpone the cleanup for reasons of stability”.
Following the security breach A1 Telekom changed passwords for all 8000 employees, provided new keys and passwords for all servers and services, and conducted an IT security training. They also engaged two-factor authentication.
Unlike typical cyberattacks, the hackers did not roll out any ransomware. No data was encrypted. This speaks for an advanced persistent threat (APT), as is typically carried out by government-controlled, intelligence-related groups, according to Heise Security.
Haschek’s source claims the Gallium group was behind the attack. According to Microsoft, this group specializes in hacking telecom operators worldwide. A1 Telekom did not comment on the attribution.
Haschek prepared a comparison of the whistleblower’s position and the official A1 Telekom position. They are quite contradictory.
Statement of the anonymous source
- A1 was owned on a massive scale (over 12000 Servers)
- The attack was known internally but not stopped (to learn more about the attackers)
- It is unclear who the attackers were or if they were state sponsored but it seems to be a very sophisticated attack
A1 Telekom official statement
- Only a dozen devices were compromised and no customer or corporate data was stolen
- The attackers were discovered and kicked off their network on May 22 2020
- A1 was not blackmailed and it was not a cryptolocker
Data Leak 2018
It is not the first time that A1 Telekom Austria has noticed cyber security problems. In 2018 the company had to admit that a customer data and passwords were stolen. The data was stored in plain text.