Telecoms Industry Ransomware Victims

Copper Horse’s Rohan Panesar takes a high-level look at publicly available ‘claimed’ ransomware attacks against the Telecoms sector.

The number of ransomware groups targeting telecommunication companies has grown in recent years. Details of attacks are often difficult to obtain, but we have compiled this high-level list of observed publicly available ransomware attacks on telecom companies. Obviously these are news reports and Copper Horse has not independently verified those claims.

Victims

Portugal Telecom

• 2017
• https://www.reuters.com/article/us-portugal-cyber-idUSKBN1882AP
• WannaCry
• Ransom demanded in BTC

Saudi Telecom Company

• 2017
• Saudi Arabia
• WannaCry
• Denied that main network operations and systems were affected, just personal devices
• https://www.reuters.com/article/us-cyber-attack-saudi-idUSKCN18A0TI

Telkom

• 2017
• South Africa
• WannaCry
• “Crippled by WannaCry Ransomware”
  • Massive outages and reduced access to services

• Apparently also hit in 2020
• https://mybroadband.co.za/news/security/354295-telkom-outages-caused-by-ransomware-attack-sources.html

Vivo

• 2017
• Brazil
• Subsidiary of Telefonica
• WannaCry
• https://igarape.org.br/brazil-struggles-with-effective-cyber-crime-response/

Telefonica

• 2017
• Spain
• WannaCry
• “Now that the cyber criminals know they can hit the big guys, they will start to target big corporations.”
  • https://www.reuters.com/article/us-spain-cyber/telefonica-other-spanish-firms-hit-in-ransomware-attack-idUSKBN1881TJ
• Potentially an indication that big corporations are being targeted more often
• Payment in BTC

O2 Germany

• https://www.dw.com/en/major-ransomware-attack-strikes-worldwide-targets/a-38824123
• 2017
• WannaCry
• Owned by Telefonica

Sri Lankan listed telco hit by ransomware

• https://www.ft.lk/front-page/SL-listed-companies-telcos-hit-by-ransomware-in-2020-ICTA-Chief/44-727132
• 2020
• Sri Lanka
• The name of the company/companies that were targeted haven’t been released

Bretange Telecom

• https://www.bleepingcomputer.com/news/security/doppelpaymer-hacked-bretagne-t-l-com-using-the-citrix-adc-flaw/
• Feb 2020
• French Telco
• DoppelPaymer ransomware group
• Exploited the Citrix ADC Flaw
• ~30TB of encrypted data
• 35BTC ($330k at the time) in ransom demanded
• Also stole data

Argentina Telecom

• https://www.welivesecurity.com/2020/07/21/telecom-argentina-hit-major-ransomware-attack/
• July 2020
• Criminals demanded $7.5 million in Monero
• “The payload was delivered in an email attachment that was downloaded and opened by one of the employees. Ultimately, the attackers hijacked an internal Domain Admin and used it to spread the infestation to over 18,000 workstations.” 
• Potentially Sodinokibi aka REvil ransomware
  • Claimed responsibility in deleted tweet

Orange France

• https://www.bitdefender.com/blog/hotforsecurity/orange-confirms-ransomware-attack-compromising-data-of-business-solutions-customers
• July 2020
• Netfilim Ransomware

Schepisi Communications

• https://www.bankinfosecurity.com/ransomware-hits-australian-telecom-provider-telstras-partner-a-16524
• May 2021
• Australia
• Stole SIM card data
• Avaddon ransomware group claimed credit
  • Group has historically leveraged use of DDOS attack to make victims pay ransoms

Corporación Nacional de Telecomunicación (CNT)

• https://www.bleepingcomputer.com/news/security/ecuadors-state-run-cnt-telco-hit-by-ransomexx-ransomware/
• July 2021
• Ecuador
• State-run telco
• RansomEXX

Subex

• https://www.securitynewspaper.com/2022/01/10/ransomware-group-hacks-telecom-analytics-firm-subex-and-its-cybersecurity-subsidiary-sectrio/
• 10 January 2022
• Telecoms analytics company
  • Also hacked their cybersecurity subsidiary Sectrio
• Ragnar Locker group
• “Double extortion tactic”
  • Attacker steals sensitive data first, then triggers encryption attack. Threatening to leak the stolen data if ransom isn’t paid
  • Other resources call this the “lock and leak” method

Vodafone Portugal

• https://therecord.media/cyberattack-brings-down-vodafone-portugal-mobile-voice-and-tv-services/
• February 2022
• Potential ransomware
• “Vodafone did not disclose details on the attack, but the outages and the unavailability of its systems suggest that the company was hit by a ransomware attack.”
  • https://securityaffairs.co/wordpress/127799/cyber-crime/vodafone-portugal-massive-cyberattack.html

Actors

As well as information of victims, we have also seen ransomware groups and actors that have targeted telecom organisations at some point during their operation.

BlackCat

• https://unit42.paloaltonetworks.com/blackcat-ransomware/
• Aka ALPHV
• Surfaced in Nov 2021
• Operators would allow affiliates to leverage the ransomware
  • Affiliates would use the BlackCat ransomware and keep 80-90% of the profits
• Victims include telcos, pharmacies, insurance and many more sectors
• Finds affiliates through cybercrime forums and groups
• Use the double extortion technique

Ragnar_Locker

• https://www.cybersecurity-insiders.com/ragnar-locker-ransomware-strikes-a-cybersecurity-firm/
• 2022
• Involved with the Subex attack
• Operate within victim’s network, “living off the land” to remain undetected
• Hides inside a windows XP VM
  • https://www.telecomtoday.in/top-stories/ragnar-locker-ransomware-hides-inside-a-virtual-machine-sophoslabs.html/

Telecommunication companies provide critical services that stretch across entire countries, if not globally. Both state-sponsored and private hackers both value the information that telcos hold, as well as understanding that disruption to these networks can be catastrophic. This makes them perfect targets for ransomware actors. It is likely that this list is merely the tip of the iceberg.