Telstra has made public a security breach at its recent acquisition Pacnet. According to the press release the breach occurred before the $697 million deal with Pacnet was finalised and once it was discovered, Telstra took immediate action as soon as it was told of the issue.
Group Executive of Global Enterprise Services Brendon Riley said: “Our investigation found a third party had attained access to Pacnet’s corporate IT network, including email and other administrative systems, through a SQL vulnerability that enabled malicious software to be uploaded to the network.
“To protect against further activity we rectified the security vulnerabilities that allowed the unauthorised access. We have also put in place additional monitoring and incident response capabilities that we routinely apply to all of our networks.
“Now we have addressed the breach and understand its potential impacts we are in the process of advising our Pacnet customers worldwide of what occurred and reassuring them that we are now applying the same high level of security we apply to Telstra’s networks.”
What was taken?
At the moment it is unclear exactly what was taken and what wasn’t. Telstra has told customers that “admin and user credentials” were taken and has advised them to make immediate changes. The problem is that beyond that information there seems to be no information as to what data might have been stolen or what software was uploaded to the system.
Establishing what data may have been stolen is likely to be extremely difficult for Telstra. They will have to go back through massive amounts of network logs in order to see if there are any suspicious traffic patterns. Without any baseline data, however, working out what might be exfiltrated data is not going to be easy. They will also need substantial assistance from customers in establishing what data transfers were correct and what were not.
The other challenge is trying to establish what malware has been uploaded to the Pacnet system and whether any malware was then placed onto customer systems. With the attackers having access to customer systems, it would have been a simple matter to upload malware which would then have been downloaded by users who would have seen it coming from a company authorised source and therefore safe.
At present, Telstra is saying that it has had no contact from any parties that might have launched the attack. Without any contact, Telstra don’t know if the intentions of the attacker were malicious or whether this was just someone trying to prove their hacking skills.
The other unknown is whether this is an outside or an insider attack. It will take some time for Telstra to completely decompose the attack and discover this. During that time, there is still a risk that malware introduced to the network may still be active and undetected.
Telstra caught out by acquisition rules
The problem here for Telstra is that no matter how much due diligence they carried out, they were unable to access operational systems that would have given details on the attack. What Telstra has been keen to make clear is that this attack did not, at any time, affect their customers and was restricted to Pacnet.
Telstra are unlikely to be the only company to have been caught out by a breach at an acquisition target. However, by admitting to the attack at the earliest possibility Telstra have made it clear that the problem lay with Pacnet not them and shown their willingness to be transparent about the problem.
Trey Ford, Global Security Strategist at Rapid7 said: “Acquisitions, from a security and technology standpoint, are high risk operations. There really is no way to know everything you have inherited prior to the transaction closing.
“Acquisition due diligence from a security standpoint is usually focused on the existence of security controls and compliance programs, and I wouldn’t be surprised if we start seeing more focused incident detection exercises before purchase. That said, routine scanning should have detected a SQL injection vulnerability – and finding and closing internet exposed vulnerabilities should be top priority technology teams.
“There are still questions around whether the incident has been closed. If you don’t know how long an attacker has been in your network or what they have taken, the difficulty of removing the attacker(s) can be enormous. To be clear — telecom service providers are interesting to all attackers, including nation state actors, making it even more critical for this sector to be aware of potential risks and vulnerabilities.”