A1 Telekom which is the largest internet service provider in Austria revealed a security breach which occurred in November 2019. The company was infected with a malware in November and their security team detected the malware a month later.
The security team struggled with the malware operators from December 2019 to May 2020 to remove all of their hidden backdoor components and eject the intruders.
The nature of the malware was not revealed by A1 and also did not mention whether the attackers were a financially-focused gang or a nation-state hacking group.
The ISP stated that the malware only infected computers on its office network and not its entire IT system comprising of more than 15,000 workstations, 12,000 servers, and thousands of applications.
The attacker apparently took manual control of the malware and tried to expand this initial foothold on a few systems to the company’s entire network. The cyber criminals also managed to compromise some databases and even ran database queries to understand the company’s internal network.
In a press meet, A1 said that it was due to the complexity of its internal network that the attacker could not enter the other systems as the thousands of databases and their relationships are very difficult for the outsiders to understand.
Even though there were some serious compromise that lasted more than six months, the attacker did not get hold of any sensitive customer data.
The Austrian ISP got the hackers out of its network last month, on May 22. They then reset all the passwords for its 8,000+ employees as well as changed passwords and access keys for all its servers.
An Austrian blogger and security researcher, Christian Haschek, was in contact with the whistleblower who exposed the breach, following which the ISP company admitted the breach. He reported that the whistleblower said the hack was performed by Gallium, which is a Chinese nation-state hacking group specialized on hacking telecom providers worldwide. However, A1 did not comment on this.