AT&T, one of the leading telecom service providers in the United States, recently confirmed a data breach that has affected a vast number of its wireless customers and customers of mobile virtual network operators (MVNOs) using AT&T’s wireless network. The breach occurred when threat actors gained unauthorized access to an AT&T workspace on a third-party cloud platform. Between April 14 and April 25, 2024, the attackers were able to exfiltrate files containing AT&T records of customer call and text interactions.
The compromised data includes telephone numbers with which an AT&T or MVNO wireless number interacted, including landline customer phone numbers and those of customers from other carriers. The data also includes counts of these interactions and the aggregate call duration for a day or month. The breach further revealed that a subset of records contained cell site identification numbers, allowing the threat actors to potentially triangulate the approximate location of a customer when a call or text was made.
This incident highlights the significance and potential impact of call data records (CDRs) in intelligence analysis. This type of data provides crucial information about who is communicating with whom and at what time. According to Jake Williams, a former NSA hacker and faculty at IANS Research, the threat actors may have used data from previous compromises to map phone numbers to identities. The stolen data can serve as a gold mine for intelligence purposes, enabling a comprehensive understanding of communication patterns and relationships.
AT&T’s list of MVNOs impacted by the breach includes numerous wireless service providers such as Black Wireless, Boost Infinite, Consumer Cellular, Cricket Wireless, FreedomPop, and others. While AT&T did not disclose the name of the third-party cloud provider that suffered the breach, Snowflake, another renowned cloud service provider, confirmed its connection to this cyberattack. Notably, Snowflake has previously experienced security incidents impacting other customers such as Ticketmaster, Santander, Neiman Marcus, and LendingTree, thereby emphasizing the extent of the breach’s impact.
Upon becoming aware of the incident on April 19, 2024, AT&T immediately activated its response efforts. The company is collaborating with law enforcement in their ongoing investigations, and one person reportedly connected to the breach has already been apprehended. However, AT&T reassured its customers that the breached information does not include the actual content of phone calls or text messages. Personal information such as Social Security numbers or dates of birth was also not compromised.
Nevertheless, the absence of customer names in the accessed data does not guarantee complete anonymity. There are public tools available that can potentially be used to find the names associated with specific telephone numbers. AT&T advises its customers to remain cautious and vigilant against phishing, smishing (SMS phishing), and online fraud. It recommends only opening text messages from trusted senders and encourages users to submit requests to obtain the phone numbers involved in their calls and texts within the illegally downloaded data.
The cyber campaign targeting Snowflake extends its impact to as many as 165 customers. This financially motivated threat campaign has been attributed to a group known as UNC5537. The group includes members based in North America who collaborate with an additional member in Turkey. The attackers have demanded ransom payments ranging from $300,000 to $5 million in exchange for the stolen data. This recent development highlights the expansive nature of the cybercrime spree and its cascading effect on multiple organizations.
Investigations into the Snowflake data thefts have revealed that the hackers obtained stolen credentials from dark web services that trade in usernames, passwords, and authentication tokens captured by stealer malware. The attackers managed to gain access through a third-party contractor named EPAM Systems. To mitigate the risk of account takeovers, Snowflake has now introduced mandatory multi-factor authentication (MFA) for all administrators. Additionally, the company plans to enforce MFA for all users in newly created Snowflake accounts.
Overall, the AT&T data breach serves as a reminder of the persistent threats faced by organizations in the telecommunications sector. It underscores the need for robust security measures, including continuous monitoring, effective incident response plans, and, most importantly, proactive defenses against cyber threats. As connectivity becomes increasingly ingrained in our lives, safeguarding personal information and maintaining the privacy and integrity of communication data are of paramount importance in today’s digital landscape.
Source link
