In a shocking revelation, a recent data breach report disclosed that a notorious threat actor known as ‘kiberphant0m’ gained access to the data systems of Bharat Sanchar Nigam Limited (BSNL), the state-owned telecommunications provider. At the time of publishing, BSNL hadn’t replied to News18’s request for a response.
Kanishk Gaur, CEO of the digital risk management company Athenian Tech, told News18: “It appears that the breach may have been ongoing for a significant period of time before it was publicly disclosed. The nature and volume of the compromised data suggest that ‘kiberphant0m’ had prolonged access to BSNL’s systems.”
“The exact number of affected users is still being assessed, but given the scope of the data compromised, it potentially impacts millions of BSNL subscribers,” he added.
Compromised Data
The compromised data allegedly includes critical information such as International Mobile Subscriber Identity (IMSI) numbers, SIM card details, pin codes, and authentication keys. Additionally, the breach allegedly involves data from DP Cards and DP Security Key, along with snapshots of BSNL’s SOLARIS servers.
After an inquiry about the authenticity and uniqueness of the data compared to an earlier reported data breach of BSNL in December 2023, Athenian Tech reportedly found that the data being sold is distinct and unrelated to previously sold datasets, which focused on user information. The current data is more complex and critical, relating directly to telecom operations.
“The threat actor priced the compromised data at $5,000, offered as a special deal valid from 5/30/2024 to 5/31/2024. This pricing highlights the high value of the data due to its sensitivity and extensive scope. During conversations on a dark web platform, the threat actor discussed the potential misuse of this data for activities such as SIM cloning and extortion, illustrating the serious risks associated with its criminal exploitation,” the report said.
The Risks
SIM cloning involves creating a duplicate SIM card with the same IMSI and authentication keys as the original. Once cloned, a SIM card can be used to intercept messages and calls, bypass two-factor authentication, access bank accounts, and commit fraud under another person’s identity. This not only compromises personal security but can also lead to significant financial losses for the victims.
The report highlighted that users might become targets of phishing schemes or other social engineering attacks. The stolen data can be used to craft convincing scams, exploiting users’ trust in BSNL and causing further personal and financial harm.
With access to Home Location Register (HLR) details and machine copies, malicious actors can potentially manipulate network settings or intercept data directly from the network. Unauthorised changes to the network or data interception can lead to widespread service disruptions, illegal surveillance activities, and leak of sensitive information.
Access to SOLARIS server snapshots allows attackers to study the infrastructure setup and potentially exploit known vulnerabilities or inject malicious code without immediate detection. This could result in operational failures, malicious data alteration, or complete network shutdowns, affecting thousands of users and leading to operational and financial setbacks for BSNL.
With critical data like IMSI numbers and SIM card details compromised, there’s a risk of unauthorized access and manipulation of telecom operations, potentially causing service outages or degraded performance.
The report also highlighted that BSNL is a key component of India’s telecom infrastructure. The exposure of sensitive data, including server snapshots and security keys, can be exploited to disrupt communication networks. Such vulnerabilities could be leveraged in cyber-attacks to undermine national security or infrastructure stability.
The breach sets a dangerous precedent, potentially encouraging further attacks on other critical infrastructure sectors. The detailed operational data that has been compromised could be used to launch more sophisticated cyber-attacks, targeting not only BSNL but other interconnected systems and networks.
Insights and Recommendation
Gaur provided insights into the nature of the threat actor and said that ‘kiberphant0m’ is identified as a highly skilled and possibly well-resourced threat actor specialising in compromising critical infrastructure systems. His previous activities and the sophisticated data he has compromised point towards his deep understanding of telecom operations and security protocols.
“He operates on dark web forums, often showcasing his exploits and seeks to monetise stolen data through extortion or by selling it to other malicious actors,” the cybersecurity specialist added.
Asked about the vulnerabilities or exploits used by ‘kiberphant0m’ to gain access to BSNL’s systems, Gaur said: “While the specific vulnerabilities exploited by ‘kiberphant0m’ have not been publicly disclosed, access to critical systems like the Home Location Register (HLR) and SOLARIS server snapshots indicates a deep penetration likely facilitated by exploiting software vulnerabilities or using sophisticated social engineering techniques. The inclusion of server snapshots suggests possible exploitation of known vulnerabilities within BSNL’s server infrastructure, emphasising the need for rigorous patch management and security updates.”
Regarding the volume of compromised data, Gaur elaborated: “The data compromised in this breach is substantial, covering various critical areas including IMSI and SIM details, HLR data, DP Card Data (approximately 8GB), DP Security Key Data (around 130GB), master keys, and SOLARIS server snapshots totalling about 140GB.”
Gaur also provided recommendations for BSNL, saying immediate actions should include conducting a comprehensive forensic investigation to understand the breach’s scope and identify the exact vulnerabilities that have been exploited.
“BSNL should transparently communicate with the affected subscribers, advising them on precautionary measures and offering support to mitigate potential impacts like SIM cloning or identity theft. Strengthening security measures, including multi-factor authentication, enhanced encryption, and stricter access controls across all systems, are also crucial, along with regular security audits and AI-powered advanced threat detection,” he noted.
Comments
0 comment