CyberSecurity news

FlagThis - #telecom

Bill Toulas@BleepingComputer //
South Korea's largest mobile operator, SK Telecom, is grappling with the aftermath of a malware attack that has potentially exposed the sensitive Universal Subscriber Identity Module (USIM) data of its customers. The company detected the breach on Saturday, April 19, 2025, at 11 PM local time, prompting immediate action to delete the malware and isolate affected equipment. While SK Telecom has not confirmed any misuse of the compromised data thus far, the incident raises significant concerns about the security of customer information and the potential for identity theft and fraud. Millions of SK Telecom customers are potentially at risk following USIM data compromise.

The compromised USIM data acts as a key to a customer's digital identity, and unauthorized access can enable threat actors to impersonate individuals and access sensitive personal and financial information. This vulnerability extends to the potential for SIM card cloning, where fraudsters can duplicate USIMs to intercept calls, messages, and data for illegal activities. As the largest mobile carrier in South Korea, serving over 29 million subscribers, SK Telecom's breach highlights broader vulnerabilities within the telecommunications infrastructure. The incident has prompted calls for strengthened cybersecurity protocols across the industry to prevent future attacks of this nature.

The SK Telecom malware attack serves as a crucial lesson for the entire telecom industry, underscoring the need for robust security measures and regulatory compliance. The potential risks associated with USIM data exposure, including identity theft, fraud, and broader infrastructure vulnerabilities, emphasize the importance of protecting personal identity information stored on USIMs. This incident highlights the importance of strengthening cybersecurity protocols across the industry to protect against similar threats. In response, government agencies are expected to launch investigations and reassess regulatory frameworks to ensure the security and privacy of customer data in the telecommunications sector.

Recommended read:
References :
  • cyberinsider.com: SK Telecom Says Malware Incident Leaked Customer USIM Data
  • securityaffairs.com: SK Telecom warned that threat actors accessed customer Universal Subscriber Identity Module (USIM) info through a malware attack.
  • BleepingComputer: SK Telecom Warns Customer USIM Data Exposed in Malware Attack
  • The DefendOps Diaries: Understanding the SK Telecom Malware Attack: Lessons for the Telecom Industry
  • bsky.app: Bsky post on SK Telecom warns customer USIM data exposed in malware attack
  • Talkback Resources: Korean Telco Giant SK Telecom Hacked [mal]
  • bsky.app: Hackers access sensitive SIM card data at South Korea's largest telecoms company
  • Graham Cluley: Mobile network operator SK Telecom, which serves approximately 34 million subscribers in South Korea, has confirmed that it suffered a cyber attack earlier this month that saw malware infiltrate its internal systems, and access data related to customers' SIM cards.

Pierluigi Paganini@securityaffairs.com //
A new ransomware group named Arkana Security is claiming responsibility for breaching WideOpenWest (WOW!), one of the largest U.S. cable and broadband providers. Arkana Security also claims the hack of US telco provider WideOpenWest (WOW!). This nascent ransomware gang’s breach purportedly compromised over 403,000 WOW! user accounts, pilfering data, including full names, usernames, salted passwords, email addresses, login histories, and security questions and answers.



The attackers boast of full backend control and have even created a music video montage to demonstrate their level of access. Additionally, they claim to have exfiltrated a separate CSV file with 2.2 million records, including names, addresses, phone numbers, and devices. While WOW! has yet to acknowledge Arkana Security's claims, threat researchers traced the attack's origins to an infostealer infection in September last year that enabled access to WOW!'s critical systems.

Recommended read:
References :
  • Cyber Security News: The largest US internet provider, WideOpenWest (WOW!), is allegedly compromised by Arkana Security, a recently discovered ransomware group.
  • securityaffairs.com: Arkana Security, a new ransomware group, claims to have breached the telecommunications provider WideOpenWest (WOW!), stealing customer data.
  • www.scworld.com: WideOpenWest purportedly breached by nascent ransomware gang
  • CyberInsider: Arkana ransomware group has claimed responsibility for breaching WideOpenWest (WOW!), one of the largest U.S. cable and broadband providers.
  • BleepingComputer: The new ransomware group Arkana Security claims to have hacked US telecom provider WOW!, stealing customer data.
  • Information Security Buzz: A new ransomware gang, Arkana Security, is claiming responsibility for an enormous breach at WideOpenWest (WoW), one of the largest cable operators and ISPs in the US. The malicious actors boasted they had full backend control and even put a music video montage together to illustrate exactly how much access they had.
  • DataBreaches.Net: A cyber-crime ring calling itself Arkana has made a cringe music video to boast of an alleged theft of subscriber account data from Colorado-based cableco WideOpenWest (literally, WOW!)
  • PCMag UK security: Hacking group Arkana Security gives WideOpenWest (WOW!) until 5 p.m. PST today to pay a ransom, or it will sell customer data to the highest bidder. WOW! says it's investigating.
  • The Register - Security: Cyber-crew claims it cracked American cableco, releases terrible music video to prove it
  • www.csoonline.com: A new ransomware gang, Arkana Security, is claiming responsibility for an enormous breach at WideOpenWest (WoW), one of the largest cable operators and ISPs in the US.
  • Talkback Resources: Arkana Security group claims the hack of US telco provider WideOpenWest (WOW!)
  • www.pcmag.com: Cybercrime Gang Says It Hacked This US ISP, Stole Info on 403K Customers
  • www.scworld.com: A cyber-crime ring calling itself Arkana has made a cringe music video to boast of an alleged theft of subscriber account data from Colorado-based cableco WideOpenWest (literally, WOW!)

drewt@secureworldexpo.com (Drew Todd)@SecureWorld News //
The Chinese state-sponsored hacking group Salt Typhoon is expanding its espionage campaign, targeting U.S. telecommunication providers and other networks globally. The group, active since at least 2019, has been breaching major companies like AT&T, Verizon, and Lumen Technologies. Between December 2024 and January 2025, Salt Typhoon compromised additional telecom networks across the globe. The attacks involve a custom utility called JumbledPath, used to stealthily monitor network traffic and potentially capture sensitive data.

Salt Typhoon gains initial access through stolen credentials and exploiting vulnerabilities in Cisco routers. Specifically, they target internet-exposed Cisco network routers, leveraging CVE-2023-20198 and CVE-2023-20273 to escalate privileges and gain root access. Once inside, they extract credentials by intercepting authentication traffic, modify network configurations, and create hidden accounts to maintain persistent access. The group's objectives include intercepting sensitive communications, tracking political activists, and stealing research from academic institutions.

Recommended read:
References :
  • bsky.app: The Chinese state-sponsored Salt Typhoon hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
  • BleepingComputer: The Chinese state-sponsored Salt Typhoon hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
  • securityaffairs.com: Salt Typhoon used custom malware JumbledPath to spy U.S. telecom providers
  • www.bleepingcomputer.com: state-sponsored hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
  • Anonymous ???????? :af:: state-sponsored hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
  • BleepingComputer: The Chinese state-sponsored Salt Typhoon hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
  • Carly Page: state-sponsored hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
  • Blog: New Details: Salt Typhoon Used Leaked Creds in Telecom Attack
  • SecureWorld News: Chinese cyber espionage group Salt Typhoon has made headlines in the last year, breaching major , including AT&T, Verizon, and Lumen Technologies.
  • cyberscoop.com: Salt Typhoon gained initial access to telecoms through Cisco devices
  • www.bleepingcomputer.com: Chinese hackers breach more U.S. telecoms via unpatched Cisco routers
  • gbhackers.com: Gbhackers news on Salt Typhoon Hackers Exploit Cisco Vulnerability
  • www.the420.in: The 420 news on Chinese Hackers Target US Telecom Giants

@www.bleepingcomputer.com //
Chinese APT groups are actively targeting U.S. telecom providers and European healthcare organizations using sophisticated cyberattacks. The attacks involve custom malware, such as JumbledPath used by Salt Typhoon to spy on U.S. telecom networks, and the exploitation of vulnerabilities like the Check Point flaw (CVE-2024-24919). These campaigns are characterized by the deployment of advanced tools like ShadowPad and NailaoLocker ransomware, indicating a blend of espionage and financially-motivated cybercrime.

These threat actors gain initial access through exploited vulnerabilities, then move laterally within the networks using techniques like RDP to obtain elevated privileges. The attackers then deploy ShadowPad and PlugX, before deploying the NailaoLocker ransomware in the final stages, encrypting files and demanding Bitcoin payments. These findings highlight the evolving tactics of Chinese APT groups and the challenges in attributing these attacks, given the blurring lines between state-sponsored espionage and financially driven operations.

Recommended read:
References :

@cyberscoop.com //
The Chinese nation-state hacking group Salt Typhoon, despite facing US sanctions, continues to actively target telecommunications providers. Between December 2024 and January 2025, Recorded Future observed Salt Typhoon breaching five telecom firms, including a US-based affiliate of a UK telecom provider, a US internet service provider, and companies in Italy, South Africa, and Thailand. The group also performed reconnaissance on a Myanmar-based telecom provider.

Salt Typhoon exploited vulnerabilities in Cisco IOS XE software, specifically CVE-2023-20198 and CVE-2023-20273, to compromise unpatched Cisco devices. They attempted to compromise over 1,000 Cisco routers globally, focusing on those within telecom networks. Additionally, Salt Typhoon targeted universities, including the University of California and Utah Tech, potentially seeking access to research related to telecommunications and engineering.

Recommended read:
References :
  • cyberscoop.com: Salt Typhoon remains active, hits more telecom networks via Cisco routers
  • The Register - Security: More victims of China's Salt Typhoon crew emerge: Telcos just now hit via Cisco bugs
  • Carly Page: The China-backed Salt Typhoon group is still hacking telecommunications providers, despite government sanctions. Recorded Future says Salt Typhoon breached five firms between December and January, including a US affiliate of a prominent UK provider and a US-based ISP
  • techcrunch.com: The China-backed Salt Typhoon group is still hacking telecommunications providers, despite government sanctions.
  • www.wired.com: Wired's coverage of Salt Typhoon's ongoing hacking activities.
  • Threats | CyberScoop: Salt Typhoon remains active, hits more telecom networks via Cisco routers
  • cyberinsider.com: Chinese Hackers Breach Cisco Devices in Global Telecom Attacks
  • securebulletin.com: RedMike (Salt Typhoon) continues global Telecom attacks
  • CyberInsider: Chinese Hackers Breach Cisco Devices in Global Telecom Attacks
  • Secure Bulletin: Report on RedMike's continued attacks on telecom providers.
  • Talkback Resources: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks [exp] [net]
  • Talkback Resources: Chinese state-sponsored APT group Salt Typhoon targets telecommunications providers and universities by exploiting Cisco vulnerabilities, creating privileged accounts, bypassing firewalls, and exfiltrating data using GRE tunnels, prompting organizations to patch devices, enforce access controls, and monitor for unauthorized changes.
  • Talkback Resources: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks
  • PCMag UK security: China's Salt Typhoon Spies Are Still Eavesdropping on Global Networks
  • ciso2ciso.com: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks
  • ciso2ciso.com: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks – Source: www.securityweek.com
  • securityaffairs.com: China-linked APT Salt Typhoon breached telecoms by exploiting Cisco router flaws
  • securityaffairs.com: China-linked APT Salt Typhoon breached telecoms by exploiting Cisco router flaws
  • BleepingComputer: China's Salt Typhoon hackers are still actively targeting telecoms worldwide and have breached more U.S. telecommunications providers via unpatched Cisco IOS XE network devices.
  • industrialcyber.co: Insikt Group details RedMike cyber espionage campaign on telecom providers using Cisco vulnerabilities
  • securityonline.info: Cybersecurity researchers at Insikt Group have identified an ongoing cyber espionage campaign by RedMike (also tracked as Salt Typhoon).
  • Industrial Cyber: Insikt Group details RedMike cyber espionage campaign on telecom providers using Cisco vulnerabilities
  • SecureWorld News: Salt Typhoon Expands Espionage Campaign, Targets Cisco Routers
  • Cisco Talos Blog: Weathering the storm: In the midst of a Typhoon
  • cyberscoop.com: Cisco Talos observed the campaign targeting major U.S. telecommunication companies and observed the attackers primarily used legitimate login credentials to gain initial access, making detection and prevention difficult.
  • cyberscoop.com: Salt Typhoon gained initial access to telecoms through Cisco devices
  • securityaffairs.com: Salt Typhoon used custom malware JumbledPath to spy U.S. telecom providers