Alleged State-sponsored Chinese hacking group Gallium hacked into Austrian ISP A1 Telekom and had unrestricted access to its database for six months
This is one hack that Austrians will remember for a long long time. Not only was this hack effective but it also lasted a whole six months before being discovered. The hacked agency was A1 Telekom which the largest internet service provider in Austria and the culprit, allegedly a China-sponsored hacking group called Gallium.
Story of the A1 Telekom hack attack
A1 Telekom is one of the largest telecom companies in Austria. They own a large variety of IT infrastructure including the FTTH connection. They have annual revenue of about €2.5 billion and employ over 8,300 employees. A1 Telekom has a virtual monopoly in providing mobile phone connections and the Internet to several remote parts of Austria.
Christian Haschek, the Austrian blogger and security researcher blew the lid the hack attack and the deliberate attempt of A1 Telekom honchos to hide it. Haschek was informed about the hack attack by an insider/whistleblower called Libertas. As soon as Haschek went public with the A1 Telekom hack news, the company officials admitted the data breach in a press statement. The company said that the hacking started with a malware infection in November 2019. A1 said its security team detected the malware a month later, but that removing the infection and taking back the control of the A1 Telekom webservers took a whole six months.
A1 Telekom told the newspersons that the complexity of its internal network prevented the hackers from accessing their other systems “because the thousands of databases and their relationships are by no means easy to understand for outsiders.” In a separate interview with the German news website, Heise, A1 Telekom said that despite a pretty serious compromise that lasted more than six months, the attacker did not get their hands on any sensitive customer data.
However, due to diplomatic considerations, A1 Telekom has not named the hackers. Haschek however is under no such compulsions and has written on his blog that the China-sponsored hacking group, Gallium was responsible for this longish hack attack. Haschek says he was informed about the hack by a A1 Telekom insider codenamed Libertas.
Libertas is the whistleblower who informed me and a journalist from Heise.de about the A1 hack. Libertas is not the hacker who infiltrated A1 but rather someone close to A1 with confirmed insider knowledge.
Who is the Gallium hacking group?
Gallium hacking group is believed to a Chinese PLA sponsored hacking group and has been known to security researchers for a long time. A Microsoft security team post specifically mentions that telecom companies are Gallium’s favorite targets.
To compromise targeted networks, GALLIUM target unpatched internet-facing services using publicly available exploits and have been known to target vulnerabilities in WildFly/JBoss. Once persistence is established in a network, GALLIUM uses common techniques and tools like Mimikatz to obtain credentials that allows for lateral movement across the target network. Within compromised networks, GALLIUM makes no attempt to obfuscate their intent and are known to use common versions of malware and publicly available toolkits with small modifications. The operators rely on low cost and easy to replace infrastructure that consists of dynamic-DNS domains and regularly reused hop points.
In the case of the A1 Telekom hack, the Gallium hacking group reportedly infected the web servers with a malware and installed web shells. This gave them access to install additional tools to explore the Austrian ISP for months together before they were booted out.
Though A1 Telekom says that that the malware only infected computers on its office network, but not its entire IT system. It would be foolish to assume so because the Gallium hacking group is known to scour the entire width of the hacked telecom companies for confidential information. And considering A1 Telekom has 15,000 workstations, 12,000 servers, and thousands of applications, Gallium must have had a field day inside A1 Telekom’s systems. Haschek confirms on his blog that the whistleblower told him the hackers gained access to more than 12,000 client systems which were all operated by A1.
If Hashchek is correct, this could be the greatest coverup of a foreign hacking attack into the Austrian public key infrastructure. For reasons known to them, A1 Telekom has neither confirmed nor denied Haschek’s version of the hacking.