CyberSecurity news

FlagThis - #Telecom

Pierluigi Paganini@Security Affairs //

MTN Cybersecurity Breach Exposes Subscribers Personal Information - MTN Group, an African telecommunications company, disclosed a data breach affecting subscribers’ personal information, raising concerns about data security, regulatory impacts, and brand reputation.
African multinational telecommunications company, MTN Group, has disclosed a cybersecurity breach that exposed the personal information of some of its subscribers. The breach has raised significant concerns about data security and the potential regulatory and legal repercussions the company may face. MTN operates across various African markets and is therefore subject to stringent national data protection laws, such as South Africa’s Protection of Personal Information Act (POPIA) and Nigeria’s Data Protection Regulation (NDPR). These regulations mandate strict data handling and security measures, with non-compliance potentially leading to substantial fines and legal actions.

MTN's immediate response included collaboration with law enforcement, specifically the South African Police Service and the Directorate for Priority Crime Investigation, underscoring the seriousness of the situation. While MTN has assured stakeholders that its core networks and financial systems remain secure, the incident has nonetheless triggered concerns about the overall robustness of the company's cybersecurity defenses. An investigation is currently underway to determine the full scope and impact of the breach, as the company seeks to understand how the attackers were able to compromise customer data.

The breach poses a significant challenge to MTN's brand reputation and customer trust, particularly given its extensive subscriber base of nearly 300 million users. Restoring confidence will require transparent communication with affected customers and the implementation of robust cybersecurity measures to prevent future incidents. The company has already begun notifying impacted customers and is working to comply with all local legal and regulatory obligations. While the precise financial consequences of the breach are still unknown, the incident highlights the growing threat of cyberattacks against telecommunications companies and the critical importance of maintaining strong data protection practices.

Recommended read:
References :
  • securityaffairs.com: SecurityAffairs: African multinational telco giant MTN Group disclosed a data breach
  • The DefendOps Diaries: TheDefendOpsDiaries: MTN Cybersecurity Breach: Navigating Challenges and Implications
  • BleepingComputer: BleepingComputer: Mobile provider MTN says cyberattack compromised customer data
  • Talkback Resources: MTN Group and Cell C, South African telecom providers, experienced data breaches, with MTN Group taking steps to notify affected customers and authorities, while Cell C's stolen data was leaked on the dark web by a ransomware group.
  • bsky.app: African mobile giant MTN Group announced that a cybersecurity incident has compromised the personal information of some of its subscribers in certain countries.
@www.ic3.gov //

FBI Seeks Help Unmasking Salt Typhoon Hackers - The FBI seeks public assistance regarding the Salt Typhoon campaign, linked to the People’s Republic of China, which targets U.S. telecommunications infrastructure, resulting in data theft and espionage, and is offering a reward for information.
The FBI has issued a public appeal for information regarding a widespread cyber campaign targeting US telecommunications infrastructure. The activity, attributed to a hacking group affiliated with the People's Republic of China and tracked as 'Salt Typhoon,' has resulted in the compromise of multiple U.S. telecommunications companies and others worldwide. The breaches, which have been ongoing for at least two years, have led to the theft of call data logs, a limited number of private communications, and the copying of select information subject to court-ordered U.S. law enforcement requests. The FBI is seeking information about the individuals who comprise Salt Typhoon and any details related to their malicious cyber activity.

The FBI, through its Internet Crime Complaint Center (IC3), is urging anyone with information about Salt Typhoon to come forward. The agency's investigation has uncovered a broad and sophisticated cyber operation that exploited access to telecommunications networks to target victims on a global scale. In October, the FBI and CISA confirmed that Chinese state hackers had breached multiple telecom providers, including major companies like AT&T, Verizon, Lumen, Charter Communications, Consolidated Communications, and Windstream, as well as dozens of other telecom companies in numerous countries.

In an effort to incentivize informants, the U.S. Department of State’s Rewards for Justice (RFJ) program is offering a reward of up to US$10 million for information about foreign government-linked individuals participating in malicious cyber activities against US critical infrastructure. The FBI is accepting tips via TOR in a likely attempt to attract potential informants based in China. The agency has also released public statements and guidance on Salt Typhoon activity in collaboration with U.S. government partners, including the publication of 'Enhanced Visibility and Hardening Guidance for Communications Infrastructure.' Salt Typhoon is also known by other names such as RedMike, Ghost Emperor, FamousSparrow, Earth Estries, and UNC2286.

Recommended read:
References :
  • bsky.app: The FBI has asked the public for information on Chinese Salt Typhoon hackers behind widespread breaches of telecommunications providers in the United States and worldwide.
  • thecyberexpress.com: The FBI has issued a public appeal for information concerning an ongoing cyber campaign targeting US telecommunications infrastructure, attributed to actors affiliated with the People’s Republic of China (PRC).
  • www.bleepingcomputer.com: FBI seeks help to unmask Salt Typhoon hackers behind telecom breaches
  • BleepingComputer: The FBI has asked the public for information on Chinese Salt Typhoon hackers behind widespread breaches of telecommunications providers in the United States and worldwide.
  • The DefendOps Diaries: Explore Salt Typhoon's cyber threats to telecom networks and the advanced tactics used by this state-sponsored group.
  • malware.news: The FBI is seeking information from the public about the Chinese Salt Typhoon hacking campaign that, last year, was found to have breached major telecommunications providers and their wiretap request systems over a two-year period.
  • Industrial Cyber: The Federal Bureau of Investigation (FBI) is requesting public assistance in reporting information related to the People’s Republic...
  • industrialcyber.co: FBI issues IC3 alert on ‘Salt Typhoon’ activity, seeks public help in investigating PRC-linked cyber campaign
  • Policy ? Ars Technica: FBI offers $10 million for information about Salt Typhoon members
  • www.cybersecuritydive.com: FBI seeks public tips about Salt Typhoon
  • www.scworld.com: US intensifies Salt Typhoon crackdown with public info request
Pierluigi Paganini@Data Breach //

SK Telecom Cyberattack Exposes Millions of User Data - SK Telecom experienced a data breach affecting 25 million subscribers’ USIM data due to malware, leading to SIM card replacements and potential risks of identity theft and SIM swap attacks.
SK Telecom, a major mobile network operator in South Korea, is grappling with the aftermath of a significant cyberattack that compromised the USIM data of approximately 23 million subscribers. The breach, discovered on April 19th, involved malware infiltration that allowed attackers to steal sensitive customer information, including mobile phone numbers and device identification numbers (IMEI). This stolen data poses significant risks to affected users, including potential identity theft and SIM swap attacks, where criminals can hijack a victim's phone number to gain access to personal and financial accounts.

In response to the widespread data breach, SK Telecom has announced a program to provide free SIM card replacements to all 25 million of its mobile customers. This initiative aims to mitigate the risk of SIM swapping and other fraudulent activities by replacing compromised SIM cards with secure ones. However, the company faces logistical challenges, with only 6 million SIM cards available for immediate replacement through May. This shortage raises concerns about the timeline for fully addressing the vulnerability and protecting all affected subscribers.

The cyberattack has had a substantial impact on SK Telecom, leading to customer anxiety, a loss in market capitalization estimated at $643 million, and potential subscriber attrition. The South Korean Ministry of Science and ICT and the Korea Internet & Security Agency (KISA) have launched an on-site investigation at SK Telecom's headquarters, signaling the seriousness of the breach and the regulatory scrutiny the company now faces. While SK Telecom is implementing measures to restore customer trust, the incident serves as a wake-up call for the telecommunications industry, highlighting the need for robust cybersecurity practices and proactive security measures.

Recommended read:
References :
  • cyberinsider.com: SK Telecom Says Malware Incident Leaked Customer USIM Data
  • securityaffairs.com: SK Telecom warned that threat actors accessed customer Universal Subscriber Identity Module (USIM) info through a malware attack.
  • BleepingComputer: SK Telecom Warns Customer USIM Data Exposed in Malware Attack
  • The DefendOps Diaries: Understanding the SK Telecom Malware Attack: Lessons for the Telecom Industry
  • bsky.app: Bsky post on SK Telecom warns customer USIM data exposed in malware attack
  • Talkback Resources: Korean Telco Giant SK Telecom Hacked [mal]
  • bsky.app: Hackers access sensitive SIM card data at South Korea's largest telecoms company
  • Malware ? Graham Cluley: Mobile network operator SK Telecom, which serves approximately 34 million subscribers in South Korea, has confirmed that it suffered a cyber attack earlier this month that saw malware infiltrate its internal systems, and access data related to customers' SIM cards.
  • The DefendOps Diaries: SK Telecom's cyberattack exposes telecom vulnerabilities, affecting 23M subscribers and prompting industry-wide security reevaluations.
  • www.bleepingcomputer.com: South Korean mobile provider SK Telecom has announced free SIM card replacements to its 25 million mobile customers following a recent USIM data breach, but only 6 million cards are available through May.
  • www.cysecurity.news: SK Telecom Malware Attack Exposes USIM Data in South Korea
  • BleepingComputer: South Korean mobile provider SK Telecom has announced free SIM card replacements to its 25 million mobile customers following a recent USIM data breach, but only 6 million cards are available through May.
  • www.bleepingcomputer.com: South Korean mobile provider SK Telecom has announced free SIM card replacements to its 25 million mobile customers following a recent USIM data breach, but only 6 million cards are available through May.
  • bsky.app: South Korean mobile provider SK Telecom has announced free SIM card replacements to its 25 million mobile customers following a recent USIM data breach, but only 6 million cards are available through May.
Pierluigi Paganini@securityaffairs.com //

Arkana Security Claims Hack of WideOpenWest Telecommunications Provider - Arkana Security, a new ransomware group, claims responsibility for breaching WideOpenWest (WOW!), compromising over 403,000 customer accounts.
A new ransomware group named Arkana Security is claiming responsibility for breaching WideOpenWest (WOW!), one of the largest U.S. cable and broadband providers. Arkana Security also claims the hack of US telco provider WideOpenWest (WOW!). This nascent ransomware gang’s breach purportedly compromised over 403,000 WOW! user accounts, pilfering data, including full names, usernames, salted passwords, email addresses, login histories, and security questions and answers.



The attackers boast of full backend control and have even created a music video montage to demonstrate their level of access. Additionally, they claim to have exfiltrated a separate CSV file with 2.2 million records, including names, addresses, phone numbers, and devices. While WOW! has yet to acknowledge Arkana Security's claims, threat researchers traced the attack's origins to an infostealer infection in September last year that enabled access to WOW!'s critical systems.

Recommended read:
References :
  • Cyber Security News: The largest US internet provider, WideOpenWest (WOW!), is allegedly compromised by Arkana Security, a recently discovered ransomware group.
  • securityaffairs.com: Arkana Security, a new ransomware group, claims to have breached the telecommunications provider WideOpenWest (WOW!), stealing customer data.
  • www.scworld.com: WideOpenWest purportedly breached by nascent ransomware gang
  • CyberInsider: Arkana ransomware group has claimed responsibility for breaching WideOpenWest (WOW!), one of the largest U.S. cable and broadband providers.
  • BleepingComputer: The new ransomware group Arkana Security claims to have hacked US telecom provider WOW!, stealing customer data.
  • Information Security Buzz: A new ransomware gang, Arkana Security, is claiming responsibility for an enormous breach at WideOpenWest (WoW), one of the largest cable operators and ISPs in the US. The malicious actors boasted they had full backend control and even put a music video montage together to illustrate exactly how much access they had.
  • DataBreaches.Net: A cyber-crime ring calling itself Arkana has made a cringe music video to boast of an alleged theft of subscriber account data from Colorado-based cableco WideOpenWest (literally, WOW!)
  • PCMag UK security: Hacking group Arkana Security gives WideOpenWest (WOW!) until 5 p.m. PST today to pay a ransom, or it will sell customer data to the highest bidder. WOW! says it's investigating.
  • The Register - Security: Cyber-crew claims it cracked American cableco, releases terrible music video to prove it
  • www.csoonline.com: A new ransomware gang, Arkana Security, is claiming responsibility for an enormous breach at WideOpenWest (WoW), one of the largest cable operators and ISPs in the US.
  • Talkback Resources: Arkana Security group claims the hack of US telco provider WideOpenWest (WOW!)
  • www.pcmag.com: Cybercrime Gang Says It Hacked This US ISP, Stole Info on 403K Customers
  • www.scworld.com: A cyber-crime ring calling itself Arkana has made a cringe music video to boast of an alleged theft of subscriber account data from Colorado-based cableco WideOpenWest (literally, WOW!)
drewt@secureworldexpo.com (Drew Todd)@SecureWorld News //

Salt Typhoon Group Expands Espionage Using JumbledPath - Chinese cyber espionage group Salt Typhoon is expanding its espionage campaign by compromising telecom networks globally using a custom malware called JumbledPath to monitor network traffic, gaining access through stolen credentials and exploiting Cisco router vulnerabilities.
The Chinese state-sponsored hacking group Salt Typhoon is expanding its espionage campaign, targeting U.S. telecommunication providers and other networks globally. The group, active since at least 2019, has been breaching major companies like AT&T, Verizon, and Lumen Technologies. Between December 2024 and January 2025, Salt Typhoon compromised additional telecom networks across the globe. The attacks involve a custom utility called JumbledPath, used to stealthily monitor network traffic and potentially capture sensitive data.

Salt Typhoon gains initial access through stolen credentials and exploiting vulnerabilities in Cisco routers. Specifically, they target internet-exposed Cisco network routers, leveraging CVE-2023-20198 and CVE-2023-20273 to escalate privileges and gain root access. Once inside, they extract credentials by intercepting authentication traffic, modify network configurations, and create hidden accounts to maintain persistent access. The group's objectives include intercepting sensitive communications, tracking political activists, and stealing research from academic institutions.

Recommended read:
References :
  • bsky.app: The Chinese state-sponsored Salt Typhoon hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
  • BleepingComputer: The Chinese state-sponsored Salt Typhoon hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
  • securityaffairs.com: Salt Typhoon used custom malware JumbledPath to spy U.S. telecom providers
  • www.bleepingcomputer.com: state-sponsored hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
  • Anonymous ???????? :af:: state-sponsored hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
  • BleepingComputer: The Chinese state-sponsored Salt Typhoon hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
  • Carly Page: state-sponsored hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
  • Blog: New Details: Salt Typhoon Used Leaked Creds in Telecom Attack
  • SecureWorld News: Chinese cyber espionage group Salt Typhoon has made headlines in the last year, breaching major , including AT&T, Verizon, and Lumen Technologies.
  • cyberscoop.com: Salt Typhoon gained initial access to telecoms through Cisco devices
  • www.bleepingcomputer.com: Chinese hackers breach more U.S. telecoms via unpatched Cisco routers
  • gbhackers.com: Gbhackers news on Salt Typhoon Hackers Exploit Cisco Vulnerability
  • www.the420.in: The 420 news on Chinese Hackers Target US Telecom Giants
@www.bleepingcomputer.com //

Chinese APT Groups Target Telecom (and) Healthcare - Chinese APT groups are targeting U.S. telecom providers and European healthcare organizations using custom malware and exploiting vulnerabilities to steal data and potentially deploy ransomware.
Chinese APT groups are actively targeting U.S. telecom providers and European healthcare organizations using sophisticated cyberattacks. The attacks involve custom malware, such as JumbledPath used by Salt Typhoon to spy on U.S. telecom networks, and the exploitation of vulnerabilities like the Check Point flaw (CVE-2024-24919). These campaigns are characterized by the deployment of advanced tools like ShadowPad and NailaoLocker ransomware, indicating a blend of espionage and financially-motivated cybercrime.

These threat actors gain initial access through exploited vulnerabilities, then move laterally within the networks using techniques like RDP to obtain elevated privileges. The attackers then deploy ShadowPad and PlugX, before deploying the NailaoLocker ransomware in the final stages, encrypting files and demanding Bitcoin payments. These findings highlight the evolving tactics of Chinese APT groups and the challenges in attributing these attacks, given the blurring lines between state-sponsored espionage and financially driven operations.

Recommended read:
References :

Posts

Blogs

Research Tools