One of Austria’s largest internet service providers (ISP), “A1 Telekom,” has been breached by hackers and was compelled to admit it after a whistleblower revealed the incident to a local blogger named Christian Haschek. The person who shared the details with the blogger identified as “Libertas,” and told the man that he/she has insider knowledge of the A1 hack and that he/she didn’t do it. Allegedly, the breach occurred around December 2019, with the infiltrators managing to break in the company’s corporate network by exploiting a vulnerability on an unspecified Microsoft product.
The internal response team of the ISP firm was late to respond effectively, and when they managed to stop the breach on May 22, 2020, six months had passed. When they investigated their internal network and systems, they found multiple web shells spread across a set of different servers, including two highly critical ones. One of the domains handled by these servers was reported to be the management point for the network of a large Austrian company, but A1 has denied that the breach had any effect beyond its office network.
The whistleblower told C. Haschek that the hacker managed to compromise two internal administrator accounts, and even shared with the blogger the passwords that were used by these employees. Apparently, they remained unchanged since 2013, and there were quite a few technicians who knew them. Some of these people may have left the company in the meantime, but the passwords were still not reset. A1 responded to this allegation, saying that these passwords are indeed valid but old, and most of them aren’t used anymore.
The source claims that the A1 Telekom realized the breach earlier, but allowed the infiltrators to move around in order to figure out who they are. Evidently, the signs pointed to the “Gallium” group, which is a notorious hacking team that has ties with the Chinese Ministry of State Security. A1 denied having any clues about who the attackers are, as they were using VPN tools to connect with their network. They also admitted that they learned about the breach in January, which is when they involved external IT security experts.
As for what has been breached, the source stated that the actors accessed the firm’s internal and some external client databases. In total, the whistleblower says the hackers had access to 12,000 servers. A1 denies all of that, saying the attackers only had access to an SQL database that doesn’t hold any customer information. Finally, the Austrian ISP claims that although the hackers maintained uninterrupted access on its systems for six months, no sensitive client data was ever accessed or exfiltrated.