The State of Ransomware Attacks in the Telecommunications Industry

Telecommunications providers keep the world connected through phone calls, emails, the Internet, and television. It’s easy to take telecommunications services for granted until they suffer disruptions. The absence of these crucial services for just a few minutes quickly highlights how intrinsic they are to daily life in all societies. 

The fact that telecom companies facilitate communication on a global scale makes them a prime target for sophisticated ransomware attacks that take services offline. Both nation-sponsored and for-profit ransomware gangs have huge incentives to target companies providing these services. This article looks at the state of ransomware in telecommunications. 

The Perfect Storm for Ransomware in Telecommunications

The critical nature of services provided within the telecommunications sector is just one aspect of a perfect storm for ransomware attacks. Another feature that marks telecom providers and operators as attractive targets is the volume of customer data they store in their systems. Threat actors specializing in ransomware can encrypt multiple IT assets at target organizations and demand large payments for the keys to unlock those assets. 

In 2021 alone, it’s been predicted that businesses globally will fall victim to a ransomware attack every 11 seconds. The total cost of ransomware is estimated at $20 billion in 2021. These costs stem from breaches of sensitive data, ransomware recovery, and legal fees.  

Recent Ransomware Attacks on Telecommunications Companies 

There has been a spate of ransomware attacks in the telecommunications sector within the last couple of years. Common to several of these attacks is a double extortion ransom demand with pre-encryption data exfiltration. It’s clear that threat actors regard this sector as a lucrative target in which it’s optimal to leave victims with little option but to pay. 

Corporacion Nacional de Telecomunicacione, July 2021

Corporacion Nacional de Telecomunicacione (CNT) is a state-run telecommunications corporation based in Ecuador. CNT’s services span the full gamut of modern telecom services, including fixed-line phone service, mobile, satellite television, and internet. A notice in mid-July informed customers that payment portals and customer care were no longer accessible due to a cyber attack. It’s believed the group behind the attack on CNT was RansomEXX. The ransom note that BleepingComputer gained access to mentioned 190 gigabytes of compromised data that RansomEXX threatened to publish if their ransom demand remained unmet. Screenshots of the stolen data indicated it was mostly contracts and support logs. 

RansomEXX has previously targeted several other large organizations in South America. Often, they’ll use purchased stolen credentials and exploit poor password hygiene to gain access to a network, move laterally, and then encrypt multiple servers and workstations with malware. The gang even recently developed a Linux version of their ransomware to ensure they can maximally impact victim networks. 

Schepisi Communications, May 2021

Schepisi Communications is a telecom provider that provides services to high-level enterprise customers on behalf of the Australian telecommunications giant Telstra. In May 2021, a dark web disclosure identified Schepisi Communications as a ransomware victim with a threat to publish valuable company documents if the ransom wasn’t paid. 

The dark web leak site went into further detail with screenshots of compromised phone numbers, customer names, SIM codes, and IMEI numbers. A timer was set at 240 hours before the perpetrators threatened to start releasing stolen data. The group behind the Schepisi incident was Avaddon, and they target both Windows and Linux systems. 

An interesting feature of Avaddon ransomware attacks is a concerted effort to delete backups and disable any recovery options for victims. It’s clear Avaddon wants to maximize the chance of receiving payment by giving victims no option to restore data and infrastructure from backups. 

Telecom Argentina, July 2020

Telecom Argentina is one of the country’s largest internet service providers. In July 2020, Telecom Argentina revealed details of a serious ransomware attack resulting in a ransom demand of $7.5 million to decrypt infected over 18,000 systems. The attack focused on the company’s call center and targeted workstations used by call center employees.

Stolen admin credentials provided the initial entry point and means by which the hackers could infect so many systems. It’s heavily rumored that phishing emails were used to dupe privileged users into revealing their credentials. Ultimately, the Telecom Argentina attack didn’t disrupt critical Internet services for customers, and the IT team was able to contain the damage. 

Orange, July 2020

Orange is a French telecommunications company and one of Europe’s largest mobile phone operators. In July 2020, Orange confirmed a successful ransomware attack that compromised data belonging to the company’s enterprise customers. Enterprise solutions offered by Orange include remote support, virtual workstations, and cloud backups. 

The Nefilim ransomware family was behind this particular attack. Nefilim targets vulnerabilities and poor security practices in remote access technology. Once inside the network, the operators of these attacks almost always steal data before locking down systems with AES-128 encryption. 

The exfiltrated data from twenty of Orange’s enterprise clients in this incident included emails and intellectual property. According to a statement in the incident’s immediate aftermath, “Affected customers have already been informed by Orange teams.” 

Combating the Phishing Problem

Phishing emails remain a significant initial attack vector for ransomware incidents. By either targeting specific individuals within an organization or conducting generic phishing campaigns, hackers write emails that convince targets to disclose credentials, click suspicious links, or download malicious attachments.  

The Telecom Argentina attack demonstrated that phishing is a problem that extends to the telecommunications sector. Phishing campaigns can deliver a quick return on investment for hackers because they are not technically challenging to conduct. Here are some ways to combat this problem and prevent future attacks whether you’re in telecommunications or any other sector:

  • Teach users how to spot the signs of a phishing attack and encourage them to report suspicious emails. 
  • Conduct simulated phishing attacks to gauge the current level of awareness around phishing emails among your workforce.
  • Use advanced email security solutions that can leverage artificial intelligence to filter out, flag, or quarantine phishing emails. 
  • Clearly establish a corporate security policy specifying appropriate user actions around not opening email attachments from untrusted sources or not disclosing login credentials via email.

Wrapping Up

Maintaining a healthy cybersecurity posture is a huge challenge for telecommunications companies in the current landscape. The intersection with critical infrastructure and sensitive data means the threat of ransomware in this sector is unlikely to decline any time soon. Despite the increasingly sophisticated ransomware strains hitting companies, initial attack vectors are often surprisingly simple. Getting the basics right, including applying updates on time and defending against phishing can stop many ransomware attacks in their tracks. 

To learn more about IRONSCALES’ award-winning anti-phishing solution, please sign up for a demo today at https://ironscales.com/get-a-demo/.