Hackers have infiltrated the network of Telstra subsidiary Pacnet, which is one of the main data centers and undersea cable operators in Asia. The hack has exposed a significant number of the comms provider’s corporate customers, including the Australian Federal Police.
Telstra did not mince words in describing the extent of the attack.
“It is clear that they had complete access to the corporate network, and that’s why we are telling customers,” said Telstra chief security officer Mike Burgess, speaking to the Australian Business Journal.
He added, “We have not been able to tell from forensic information or system logs what has been taken from the network.”
Singapore and Hong Kong based Pacnet serves a range of large multinational customers, other carriers and governments in the Asia-Pacific region as well as the Americas. Telstra acquired the company late last year for $697 million.
The breach occurred prior to Telstra taking ownership of the business; so far it’s unclear when it happened and thus how long the bad actors had access. Burgess said in a statement that the Australian telco was informed of the breach only after the acquisition was finalized on April 16 this year. He stressed that Telstra’s own network is completely sequestered from Pacnet’s, and that it has not been open to bleed-over attacks from the compromise.
“When you read the phrase ‘move around the network’ associated with an incident like the Telstra-Pacnet breach…you can picture a bad guy running around hallways grabbing anything that isn’t nailed down,” said Jonathan Sander, strategy and research officer with STEALTHbits, told Infosecurity. “When people react to these incidents, they immediately think about fixing the hole that let the hacker get in. This perimeter thinking is not only old, it is getting dangerous.”
The investigation found that a third party had gained initial access to Pacnet’s corporate network through an SQL vulnerability, which allow hackers to issue commands on servers so they can access databases and change or delete information. Ultimately, the perpetrators were able to steal admin and user credentials to gain the keys to the rest of the network.
“Acquisition due diligence from a security standpoint is usually focused on the existence of security controls and compliance programs, and I wouldn’t be surprised if we start seeing more focused incident detection exercises before purchase,” said Trey Ford, global security strategist at Rapid7, via email. “That said, routine scanning should have detected an SQL injection vulnerability—and finding and closing internet exposed vulnerabilities should be top priority [to] technology teams.”
Burgess said that the security vulnerability has been addressed, and all known malicious software removed. Telstra has also put in place additional monitoring and incident response capabilities, and ran indicator-of-compromise checks across all of the Pacnet corporate IT network computers, both servers and workstations.
As for attribution, so far there has been no progress on that front.
“While we will look into who was behind the breach, we may never know as attribution is very difficult. We have not had any contact from the perpetrators nor do we know the reason behind this activity,” Burgess said.
Ford added, “Telecom service providers are interesting to all attackers, including nation state actors, making it even more critical for this sector to be aware of potential risks and vulnerabilities.”