Hackers breached A1 Telekom, Austria's largest ISP

A1 needed more than six months to kick the hackers off its network. Whsitleblower claims the intruders were Chinese hackers.

How to hack a telco? This group uses cheap malware and tweaks it

A1 Telekom, the largest internet service provider in Austria, has admitted to a security breach this week, following a whistleblower's exposé.

The company admitted to suffering a malware infection in November 2019. A1 said its security team detected the malware a month later, but that removing the infection was more problematic than it initially anticipated.

From December 2019 to May 2020, A1 said its security team had battled with the malware's operators in attempts to remove all of their hidden backdoor components and kick out the intruders.

A1, which didn't disclose the nature of the malware, didn't say if the intruders were financially-focused cybercrime gang or a nation-state hacking group.

The Austrian ISP told a local blogger -- who was in contact with the whistleblower -- that the malware only infected computers on its office network, but not its entire IT system, which consisted of more than 15,000 workstations, 12,000 servers, and thousands of applications.

The attacker supposedly took manual control of the malware and attempted to expand this initial foothold on a few systems to the company's entire network. A1 said the attacker managed to compromise some databases and even ran database queries in order to learn the company's internal network.

In interviews with Austrian press [1, 2, 3], A1 said that the complexity of its internal network helped prevent the attacker from making their way to other systems "because the thousands of databases and their relationships are by no means easy to understand for outsiders."

A1 told German news site Heise that despite a pretty serious compromise that lasted more than six months, the attacker did not get their hands on any sensitive customer data. However, the whistleblower claimed the intruders made "very specific [database] queries of location, phone numbers and other customer data for certain private A1 customers" and "downloaded "massive amounts" of customer data."

According to A1, the company kicked the hackers off its network last month, on May 22. Since then, A1 has reset passwords for all its 8,000+ employees and has changed passwords and access keys for all its servers.

Christian Haschek, the Austrian blogger and security researcher who first broke the story, said the whistleblower claimed the hack was carried out by Gallium, a codename used by Microsoft to describe a Chinese nation-state hacking group specialized on hacking telecom providers worldwide.

A1 declined to comment on the whistleblower's attribution.