Telus, one of Canada’s largest telecommunications providers, is reportedly investigating a potentially major breach of its systems after a threat actor posted samples online of what the person claimed was sensitive data from the company.
The leaked data included what the adversary alleged was a sample of employee payroll records, source code from the telecom firm’s private GitHub repositories, and other information.
In a post on BreachForums, according to reports, the threat actor offered for sale an email database purporting to contain the email addresses of every employee at Telus. The price for the database was $7,000. Another database, supposedly containing payroll information of the top executives at the telco, including its president, was available for $6,000.
The threat actor also offered for sale, for $50,000, a data set that the person claimed included more than 1,000 private GitHub repositories belonging to Telus. The source code available for sale apparently included an API that would allow an adversary to do SIM-swapping — a process where attackers hijack another individual’s phone by transferring the number to their own SIM card.
A Full Breach?
“This is the FULL breach,” the alleged hacker wrote in the post of BreachForums. “You will receive everything associated with Telus,” including complete subdomain lists and screenshots of active sites, the post went on to say. It’s unclear whether any of the data that the alleged attacker appeared to have is authentic or belonged to Telus, as claimed. The service provider did not respond to multiple Dark Reading requests for comment.
That said, IT World Canada quoted a Telus spokesman as saying the company is currently investigating claims about a “small amount of data” related to the company’s source code and certain employees being leaked on the Dark Web.
If the breach at Telus happened as the threat actor claimed, it will be the latest in a string of attacks that have targeted telecom firms recently. Just since the beginning of the year, attackers have breached multiple major telecommunications firms including three of Australia’s largest: Optus, Telestra, and Dialog. And earlier this month, researchers at SentinelOne reported observing a previously unknown bad actor targeting telecom firms in the Middle East in what appeared to be a cyber-espionage campaign.
Analysts believe a couple of factors are driving the trend. The widespread and growing use of mobile devices for multifactor authentication (MFA) for instance has put a target on telecommunication companies and their networks. Financially motivated cybercriminals looking to access online accounts have also begun to increasingly target telecom providers in so-called SIM-swapping attacks to hijack phones and intercept SMS authorizations for two-factor authentication.
Another factor — a long-standing one — that has made telecom companies a big target is the opportunity they provide for adversaries to surveil people of interest. There have been numerous incidents in recent years where state-sponsored threat actors from countries that include Iran, Turkey, and China have broken into a telecom network to, among other things, steal call-data records for monitoring conversations of targeted individuals and groups.