A1 Telekom, one of the largest Internet Service Providers in Austria and Bulgaria recently admitted to a six-month-long compromise. The intrusion started in November of 2019 with a malware infection, which was detected one month later. However, IT staff at A1 continued to battle the persistent attacker for months, finding additional backdoors that the attacker used to maintain control of the network until May 2020. A1 Telekom believes that they finally removed all of the attacker’s access on May 22. A security blogger who reported on the incident claims that the attack was attributed to a Chinese Advanced Persistent Threat (APT) group known as GALLIUM, but A1 has not confirmed the attribution. Microsoft issued a warning in December 2019 that GALLIUM was actively targeting telecommunications service providers around the globe. Even though the actor was in the network for six months, A1 stated that while the threat actor accessed databases, they don’t believe any data was stolen, “because the thousands of databases and their relationships are by no means easy to understand for outsiders.” A1 has issued password resets and changed all keys on the databases.
Analyst Notes
This attack was the result of a long-lasting and persistent threat actor using malware and multiple backdoors. Binary Defense recommends the use of 24/7 monitoring of Endpoint Detection and Response (EDR) tools in order to detect malware infections and suspicious behaviors in the early stages of an attack before they spread to the entire network. The GALLIUM group typically targets vulnerabilities in web services such as WildFly or JBoss and installs web shells as an initial foothold into a network. The group follows a pattern of harvesting administrator credentials using Mimikatz and Windows Credential Editor, then moving laterally using tools such as PsExec to gain control over multiple workstations and servers. All of these behaviors quickly can be detected if security analysts have the visibility and capability to respond.
https://www.zdnet.com/article/hackers-breached-a1-telekom-austrias-largest-isp/
https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/
