A1 Telekom Austria is the leading fixed and mobile network operator in Austria, with 5.4 million mobile and 2.3 million fixed-line customers.
The company has admitted having suffered a security breach after the revelation of a whistleblower named Libertas.
Libertas informed the local blogger Christian Haschek and a journalist from Heise.de about the A1 hack. Libertas is not the hacker that breached the company but rather an individual with insider knowledge of telco operator.
A1 revealed having spent more than six months to lock out the intruders from its network.
The incident took place in November 2019, when the systems at the company have been infected with malware.
The company did not disclose details of the attack, the whistleblower speculates the intruders were members of the Gallium group, a Chinese APT group that was more active between 2018 and mid-2019 when targeted global telecommunication providers worldwide.
A1 detected the malicious code in December 2019 and has fought with the threats until May 2020. Attackers have disseminated hidden backdoors in the company network.
At the time of publishing this report, it is not clear if the attackers were nation-state attackers of financially-motivated hackers.
The ISP told to Haschek that the malicious code only infected computers on its office network.
“According to the whistleblower attackers gained access to more than 12,000 client systems which were all operated by A1. A1 said this was not true and just about a dozen devices were compromised and these were all in the Office space.” read the blog post.”The number 12,000 systems was confirmed by A1 to be the whole number of devices they manage, not the number of compromised computers.”
Libertas claims the attackers exploited a vulnerability affecting an unspecified Microsoft product to breach into the network.
A1 told German news site Heise the attacker did not access any sensitive customer data.
In response to the incident, the company has reset passwords for all its 8,000+ employees and has changed passwords and access keys for all its servers.
(SecurityAffairs – A1, hacking)