Hacker Claims to Have Breached T-Mobile

Hacker Claims to Have Breached T-Mobile

Hacker Claims to Have Breached T-Mobile

Hacker Claims to Have

Breached T-Mobile

Hacker Claims to Have

Breached T-Mobile

By:
投稿者:
Joe Malenfant
August 16, 2021

It’s being widely reported that mobile telecoms company, T-Mobile is investigating a claim made by a hacker over the weekend of stolen data from 100 million customers. According to Bleeping Computer, the threat actor claims to be selling a database containing birth dates, driver’s license numbers and social security numbers of 30 million people in exchange for six Bitcoin (about $270,000). This isn’t the first time T-Mobile has been targeted in a cyberattack, but the claim made by the attacker in the current instance would indicate that this time around could be different.

Not your typical outcome

Without having a full scope of the details, it’s difficult to know what tactics were used in the attack, however, there are a few outcomes that can come from this type of hacker activity.

  • Option 1: After gaining access and the possibility of a breach occurs, the hacker notifies the vendor (in this case T-Mobile) to work out a price to settle the issue before any damage is done. There is no indication or report that this was the case here.
  • Option 2: Ransom. No surprise here as ransomware has dominated the headlines this year and continues to be a top concern for organizations as criminals can demand a steep price in exchange for data to be decrypted, while there’s no guarantee that the stolen data won’t resurface down the road. Based on the reports, it doesn’t appear that T-Mobile is dealing with ransomware.
  • Option 3: Data is sold on the open market. If what the hacker claims is true, this is the current situation for T-Mobile and it’s less than ideal because it typically means that the attacker has what they claim and can prove it.

This type of extensive data harvesting is typical of a low and slow attack where attackers gain access to a system and operate undetected, move around, tap on systems, and exfiltrate data. In fact, the average global dwell time that an attacker remains inside an environment is now 24 days, according to this Dark Reading article. Time and time again, organizations that fall prey to these attacks find all the evidence to determine what happened is buried in logs and just didn't get connected in the way that it needed to for the right 'alarm bells' to go off. As we’ve pointed out during previous attacks, it’s important for organizations to recognize that hackers don’t make obvious moves, and without the visibility necessary to see and stop their motions—defending against them is nearly impossible.

According to this Bleeping Computer article, “The threat actor claims to have hacked into T-Mobile's production, staging, and development servers two weeks ago, including an Oracle database server containing customer data. As proof that they breached T-Mobile's servers, the threat actors shared a screenshot of an SSH connection to a production server running Oracle.”

This is a developing story that our research team is actively monitoring. We will continue to post updates through our blog, including recommendations for companies concerned about persistent attacks.

About the author

Joe Malenfant

Joe Malenfant is the Vice President of Product Marketing at Vectra. Joe and his team are responsible for creating differentiated position for Vectra’s solutions, providing clarity to prospects, customers, and partners. Joe has spent over 10 years driving innovation in cyber security including endpoint detection and response, industrial control systems (ICS), IoT, and network security. He has launched category defining products from pure play SaaS to hardware solutions for IT, IoT, and ICS environments. He regularly presents at industry conference including RSA, Cisco Live, and IIoT World.

Prior to Vectra, he led marketing for Cisco’s Internet of Things business, a $1B portfolio spanning over 5 product segments including cloud, networking, and security. Prior to joining Cisco in 2014 he led product and solutions marketing Lockheed Martin Commercial cyber security solutions through the acquisition of ICS security company, Industrial Defender. Joe holds an MBA from Johnson & Wales in Providence, RI and an undergraduate degree from Concordia University in Montreal, Canada.

Author profile and blog posts

Most recent blog posts from the same author

Security operations

5 Biggest AWS Cloud Security Threats to Your Organization

August 18, 2021
Read blog post
Breach

Hacker Claims to Have Breached T-Mobile

August 16, 2021
Read blog post

Securing AWS Cloud: How the Pros Are Doing It

August 4, 2021
Read blog post