[BreachExchange] Telstra service provider hit by cyber attack as hackers claim SIM card information stolen

[Destry Winant]

https://www.theaustralian.com.au/breaking-news/telstra-service-provider-hit-by-cyber-attack-as-hackers-claim-sim-card-information-stolen/news-story/2ff32b2e3634506882102e9c9d012994

Hackers have claimed they have gained access to “tens of thousands” of SIM
cards after a cyber attack against an Australian telecom firm.

The victim, Melbourne-based Schepisi Communications, describes itself as a
“platinum partner” of Telstra that supplies phone numbers and cloud storage
services on behalf of the telecommunications giant.

The company’s website has been offline for days after a hacker group said
it infiltrated the company’s data systems and posted a disturbing ransom
note on the dark web.

“We have a large amount of data on mobile devices, tens of thousands of SIM
cards … financial information, contracts, banking information,” the ransom
note read.

Telstra confirmed there had been a security breach that affected one of its
“dealers”.

“We’ve been in contact with the dealer and been told some ‘high level’
Telstra business customer information, such as mobile phone numbers, may
have been accessed from its order fulfilment system,” a Telstra spokesman
said.

“We are getting more information but don't believe any sensitive personal
information was included.

“Our specialist cyber security team are working closely with the dealer to
help them resolve the issue.”

The spokesman added that Telstra had strict guidelines for how business
partners accessed customer data and said no Telstra systems were breached.

Excerpts of documents posted on the dark web as part of the extortion
attempt appeared to show customer phone numbers and addresses.

Among Schepisi’s customers that appeared to have had their information
exposed were global food conglomerate Nestle, a Melbourne radio station, an
Australian property management firm, and a financial services company based
in Victoria.

Part of the ransom note posted by hackers to the dark web.
Part of the ransom note posted by hackers to the dark web.
An archived version of Schepisi’s website from earlier this year shows the
company offers business clients access to and support for Telstra products
and services.

That includes helping businesses “migrate” their documents from physical
servers onto Telstra’s cloud storage service.

“A Telstra cloud service eliminates the need for businesses to have their
own servers because all business data is stored in virtual servers online,”
Schepisi’s website read.

The company also offers access to Telstra’s mobile phone plans for
businesses.

The hacker group’s ransom note was posted late last week and included a
ticking timer that was set to expire this weekend.

The criminals implored the company to “communicate and co-operate” before
then or “valuable company documents” would be leaked.

Brett Callow, threat analyst with the cyber security firm Emsisoft, said
the hackers were using a “triple-pronged” mode of attack by stealing data,
encrypting that information so that it couldn’t be accessed without the
hackers’ help, and shutting down the victim’s website.

“The targets have three problems with which to deal: their data has been
stolen, their systems have been locked and they’re under a DDoS attack,” Mr
Callow said.

DDoS means “distributed denial of service” and is a way to shut down a
website by flooding it with pointless data requests that overwhelm the
system.

“Companies in this situation are, unfortunately, without good options,” Mr
Callow said.

“They’ve been had a data breach and that cannot be undone. Paying the
ransom simply gets them a promise that the stolen data will be deleted –
and, as that promise is coming from an untrustworthy bad faith actor, it
carries very little weight.”

The ransomware used in the attack was the same as the one used against a
Victorian high school last week.

After that attack, hackers uploaded excerpts of what they said were stolen
documents online, including one that appeared to bear the name of a student.

Victoria’s Department of Education and Training confirmed the school
incident, saying “a number of the school’s files” were impacted.

NCA NewsWire contacted Schepisi Communications for comment.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210504/6aa33478/attachment.html>