It’s being widely reported that mobile telecoms company, T-Mobile is investigating a claim made by a hacker over the weekend of stolen data from 100 million customers. According to Bleeping Computer, the threat actor claims to be selling a database containing birth dates, driver’s license numbers and social security numbers of 30 million people in exchange for six Bitcoin (about $270,000). This isn’t the first time T-Mobile has been targeted in a cyberattack, but the claim made by the attacker in the current instance would indicate that this time around could be different.
Not your typical outcome
Without having a full scope of the details, it’s difficult to know what tactics were used in the attack, however, there are a few outcomes that can come from this type of hacker activity.
This type of extensive data harvesting is typical of a low and slow attack where attackers gain access to a system and operate undetected, move around, tap on systems, and exfiltrate data. In fact, the average global dwell time that an attacker remains inside an environment is now 24 days, according to this Dark Reading article. Time and time again, organizations that fall prey to these attacks find all the evidence to determine what happened is buried in logs and just didn't get connected in the way that it needed to for the right 'alarm bells' to go off. As we’ve pointed out during previous attacks, it’s important for organizations to recognize that hackers don’t make obvious moves, and without the visibility necessary to see and stop their motions—defending against them is nearly impossible.
According to this Bleeping Computer article, “The threat actor claims to have hacked into T-Mobile's production, staging, and development servers two weeks ago, including an Oracle database server containing customer data. As proof that they breached T-Mobile's servers, the threat actors shared a screenshot of an SSH connection to a production server running Oracle.”
This is a developing story that our research team is actively monitoring. We will continue to post updates through our blog, including recommendations for companies concerned about persistent attacks.
Joe Malenfant is the Vice President of Product Marketing at Vectra. Joe and his team are responsible for creating differentiated position for Vectra’s solutions, providing clarity to prospects, customers, and partners. Joe has spent over 10 years driving innovation in cyber security including endpoint detection and response, industrial control systems (ICS), IoT, and network security. He has launched category defining products from pure play SaaS to hardware solutions for IT, IoT, and ICS environments. He regularly presents at industry conference including RSA, Cisco Live, and IIoT World.
Prior to Vectra, he led marketing for Cisco’s Internet of Things business, a $1B portfolio spanning over 5 product segments including cloud, networking, and security. Prior to joining Cisco in 2014 he led product and solutions marketing Lockheed Martin Commercial cyber security solutions through the acquisition of ICS security company, Industrial Defender. Joe holds an MBA from Johnson & Wales in Providence, RI and an undergraduate degree from Concordia University in Montreal, Canada.