A1 Telekom, one of the largest Internet Service Providers in Austria and Bulgaria recently admitted to a six-month-long compromise. The intrusion started in November of 2019 with a malware infection, which was detected one month later. However, IT staff at A1 continued to battle the persistent attacker for months, finding additional backdoors that the attacker used to maintain control of the network until May 2020. A1 Telekom believes that they finally removed all of the attacker’s access on May 22. A security blogger who reported on the incident claims that the attack was attributed to a Chinese Advanced Persistent Threat (APT) group known as GALLIUM, but A1 has not confirmed the attribution. Microsoft issued a warning in December 2019 that GALLIUM was actively targeting telecommunications service providers around the globe. Even though the actor was in the network for six months, A1 stated that while the threat actor accessed databases, they don’t believe any data was stolen, “because the thousands of databases and their relationships are by no means easy to understand for outsiders.” A1 has issued password resets and changed all keys on the databases.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in