Keeping a close eye on the rising number of phishing attacks on Australians amidst the COVID-19 pandemic, in September 2020, Telstra launched a pilot project to block phishing texts in association with the Australian Cyber Security Centre (ACSC) and Services Australia. The initiative was lauded by its customers and other federal agencies as a step forward in securing its citizens from notorious cybercriminals. However, it seems like Telstra had forgotten to consider its third parties. Because Telstra has reportedly confirmed that one of its service providers was affected in a security breach. Threat actors are claiming that they have exfiltrated “tens of thousands” of Telstra’s customers’ financial and SIM card(s) data and are now demanding a ransom in exchange for it.
The Compromised Service Provider
The third-party service provider, whose compromise led to the hack, is Melbourne-based telecom service provider Schepisi Communications. According to their official website, they are “trusted” and a “platinum partner” of Telstra supplying phone numbers and cloud storage services. Since the alleged cyberattack, a cybercriminal group claimed it had infiltrated the company’s data systems and posted a ransom note on the dark web saying,
We have a large amount of data on mobile devices, tens of thousands of SIM cards … financial information, contracts, banking information and much more.
The cybercriminals further warned Schepisi Communications that they had only 240 hours to agree to their terms or the data will be leaked on their name-and-shame website. The warning also additionally stated that decrypting the data would be of no use and in retaliation, their site would then be attacked by a wave of DDoS attacks.
A Telstra spokesperson confirmed the security breach to a national daily and accepted that it had affected one of its “dealers.” He added, “We’ve been in contact with the dealer and been told some ‘high level’ Telstra business customer information, such as mobile phone numbers, may have been accessed from its order fulfillment system.”
More information on the type of ransomware and the operators behind it is awaited.