In a significant security lapse, American telecom giant AT&T has disclosed that cybercriminals have managed to breach its systems, impacting “nearly all” of its wireless customers. This alarming revelation also extends to customers of various mobile virtual network operators (MVNOs) utilizing AT&T’s wireless network infrastructure.
Details of the Breach
The breach, which occurred between April 14 and April 25, 2024, involved unauthorized access to an AT&T workspace hosted on a third-party cloud platform. During this period, the threat actors exfiltrated files containing sensitive AT&T records. These records documented customer call and text interactions from May 1 to October 31, 2022, and January 2, 2023.
The compromised data includes telephone numbers interacted with by AT&T and MVNO wireless numbers, encompassing numbers of AT&T landline customers and those of other carriers. The records also detailed interaction counts and aggregate call durations. In some instances, the stolen data included cell site identification numbers, which could potentially be used to approximate the location of customers during calls or text exchanges.
AT&T has assured that they will notify current and former customers if their information was involved in the breach.
Expert Insights and Implications
Jake Williams, a former NSA hacker and current faculty member at IANS Research, highlighted the significance of the stolen data. He noted that call data records (CDR), which were among the exfiltrated information, are invaluable for intelligence analysis. These records can provide insights into communication patterns, revealing who is communicating with whom and when.
The list of impacted MVNOs includes notable names such as Black Wireless, Boost Infinite, Consumer Cellular, Cricket Wireless, FreedomPop, FreeUp Mobile, Good2Go, H2O Wireless, PureTalk, Red Pocket, Straight Talk Wireless, TracFone Wireless, Unreal Mobile, and Wing.
While AT&T did not disclose the name of the third-party cloud provider involved, Snowflake has since confirmed its connection to the breach. This incident also affected other high-profile customers of Snowflake, including Ticketmaster, Santander, Neiman Marcus, and LendingTree, as reported by Bloomberg.
Immediate Response and Ongoing Investigation
AT&T became aware of the security incident on April 19, 2024, promptly initiating a response. The company is actively cooperating with law enforcement to apprehend those responsible, and it has been reported that at least one individual has been arrested.
404 Media identified John Binns, a 24-year-old U.S. citizen previously detained in Turkey, as a suspect linked to the AT&T breach. Binns has a history of cyber offenses, including an indictment in the U.S. for hacking T-Mobile in 2021 and selling its customer data.
Despite the breadth of the breach, AT&T emphasized that the accessed information does not include the content of calls or texts, nor does it contain sensitive personal data such as Social Security numbers or dates of birth. However, they caution that publicly available online tools can sometimes be used to associate telephone numbers with customer names, posing additional risks.
AT&T has advised its customers to remain vigilant against phishing, smishing, and other forms of online fraud, urging them to only open text messages from trusted sources. Customers can also request information about the phone numbers of their calls and texts included in the compromised data.
The Wider Impact and Cybersecurity Measures
The malicious cyber campaign targeting Snowflake has reportedly affected as many as 165 customers. Mandiant, a Google-owned cybersecurity firm, has attributed the campaign to a financially motivated threat actor group known as UNC5537. This group operates primarily from North America, with collaboration from a member based in Turkey.
The hackers have demanded ransoms ranging from $300,000 to $5 million for the stolen data. The unfolding situation highlights the expansive and cascading consequences of such cybercrimes.
A recent report by WIRED detailed how the hackers behind these breaches obtained stolen Snowflake credentials from dark web services. These services sell access to compromised usernames, passwords, and authentication tokens harvested by stealer malware. Access was reportedly gained through a third-party contractor named EPAM Systems.
In response, Snowflake has announced new security measures, including the enforcement of mandatory multi-factor authentication (MFA) for all users to reduce the risk of account takeovers. Additionally, MFA will soon be required for all users in newly created Snowflake accounts.
Ransom Payment and Regulatory Oversight
AT&T has reportedly paid $370,000 in cryptocurrency to the threat actors, believed to be members of the ShinyHunters hacking group, to delete what is claimed to be the “only copy” of the stolen data. This payment, made in May, included a video demonstrating proof of deletion.
The U.S. Federal Communications Commission (FCC) has stated that it is conducting an ongoing investigation into the AT&T breach, working in coordination with law enforcement partners to address the situation.
This incident underscores the critical importance of robust cybersecurity measures and the need for continuous vigilance in protecting sensitive customer information in an increasingly digital world. As the investigation progresses, AT&T and its customers remain on high alert, navigating the fallout of one of the most significant data breaches in recent history.
Follow us on (Twitter) for real time updates and exclusive content.
Pingback: RCE in GeoServer GeoTools Software: CISA Issues Warning