Telecom service provider Pacnet, which was acquired last year by Telstra, has acknowledged that an undisclosed amount of customer data was exposed when Pacnet’s corporate network was hacked prior to the Telstra acquisition.
“Shortly after we completed the acquisition, we were advised that the corporate IT network of Pacnet — essentially the email and other business management systems — had been accessed by an unauthorized third party,” Telstra chief security officer Mike Burgess said in a statement.
Telstra’s security experts determined that the hackers had leveraged a SQL vulnerability to access Pacnet’s corporate network, then uploaded malware that was used to steal admin and user login credentials.
“We immediately addressed the security vulnerability that allowed access to the network, removed all known malicious software and put in place additional monitoring and incident response capabilities that we routinely apply to all of our networks,” Burgess said.
“We have not been able to tell from forensic information or system logs what has been taken from the network,” Burgess told The Australian. “But… it is clear that they had complete access to the corporate network, and that’s why we are telling customers.”
“While we will look into who was behind the breach, we may never know, as attribution is very difficult,” Burgess added. “We have not had any contact from the perpetrators, nor do we know the reason behind this activity.”
Rapid7 global security strategist Trey Ford told eSecurity Planet by email that the incident demonstrates that acquisitions are by nature high risk operations. “There really is no way to know everything you have inherited prior to the transaction closing,” he said. “Acquisition due diligence from a security standpoint is usually focused on the existence of security controls and compliance programs, and I wouldn’t be surprised if we start seeing more focused incident detection exercises before purchase.”
“That said, routine scanning should have detected a SQL injection vulnerability — and finding and closing Internet exposed vulnerabilities should be top priority [for] technology teams,” Ford added.
Ford also noted that questions remain about whether the incident has been fully resolved. “If you don’t know how long an attacker has been in your network or what they have taken, the difficulty of removing the attacker(s) can be enormous,” he said. “To be clear — telecom service providers are interesting to all attackers, including nation state actors, making it even more critical for this sector to be aware of potential risks and vulnerabilities.”
And STEALTHbits strategy and research officer Jonathan Sander said by email that everyone should know by now that they will be breached at some point. “The real question will be: what is going to be easy to grab as the bad guys run free through your network? Call it defense in depth, layered response, or simply least privilege, but regardless of what you call it or how you structure it, companies need to pay attention to the locks on the doors inside the network,” he said.