The stolen content, including email lists, financial databases, and private GitHub repositories, has led to speculation about insider involvement.
On February 17, 2023, a member of a popular cybercriminal forum advertised data belonging to Canada's second-largest telecommunications company, Telus. The information allegedly includes employee data (names and email addresses), payroll records, and private source code repositories. In response, Telus announced an investigation of a possible data breach but claimed it discovered no evidence that retail customer data was compromised. While the Telus data has not been authenticated, the threat actor posted a sample set that appeared to contain names and email addresses of current Telus employees, primarily technical personnel and software developers.
Read: Reshaping the Threat Landscape in 2023: Cybersixgill Announces Top Trends in Cybersecurity
In a February 21, 2023 post on the forum, the same threat actor advertised Telus' “confidential GitHub repositories, source code, and payroll records,” claiming that the stolen source code features the company's "sim-swap-API," which malicious actors could use to conduct SIM swap attacks. If the data is authentic, cybercriminals could use it in various malicious operations, from spearphishing schemes to data extortion and fraud. In addition, Telus data could be leveraged for industrial espionage purposes to undermine the company’s operations.
While the threat actor referred to the Telus incident as a "full breach," threatening to sell "everything connected with Telus," it remains unclear whether the company was (1) infiltrated by an unrelated threat actor, (2) hit with a third-party supplier breach, or (3) targeted by an insider abusing authorized access. Amid its investigation, Telus urged employees and customers to remain on alert for scams and phishing scenarios and advised them to refrain from engaging with emails, texts, or telephone calls that appeared fraudulent.
Cybercriminals consistently target telecommunications companies like Telus due to the wide range of valuable, private data they manage. In January 2023, T-Mobile announced that threat actors accessed the personal data of 37 million customers, which marked the eighth major breach the U.S. telecom giant reported in the last five years. In the latest breach, the attackers allegedly broke into T-Mobile’s networks by exploiting a bug in its Application Programming Interface (API).
In April 2022, one of Ukraine’s primary Internet Service Providers (ISPs), Ukrtelecom, was the victim of a cyber attack that disrupted service in large swaths of the country. Ukrtelecom’s rapid response limited the damage inflicted by the attack attributed to Russian hackers.
Cybersixgill collected the cybercrime forum posts advertising stolen Telus data. In the February 17, 2023 post below, the threat actor mentioned Telus employee email lists, claiming they were collected during a “very recent breach” in which over 76,000 unique emails and internal information associated with each employee were allegedly obtained from Telus' API. The threat actor shared a sample of the stolen email list, including emails related to software and DevOps developers, among other employees, and a sample of employee API information.
The threat actor claimed that the data had never been sold before and would only be sold to one buyer. The threat actor also offered to negotiate a price through an intermediary, directing interested customers to reach out via private message or Telegram.
While multiple forum members praised the alleged Telus breach, an apparent affiliate claimed they reported the threat actor to Telus, providing their personal information to the company and threatening them with jail. The affiliate claimed they had “fired” the threat actor and would refrain from further collaboration. The affiliate also threatened a mutual partner identified, warning that law enforcement from a European country would pursue both of them and seek extradition. This message suggests the threat actor’s location and a potential collaborator.
Cybersixgill also collected the threat actor’s February 21, 2023 post advertising additional Telus data, including an email database ($7,000), a payroll database ($6,000), and over 1,000 unique private repositories together with the sim-swap-API ($50,000). According to the threat actor, the advertised data represents the “full breach,” including “everything associated with Telus.”
The threat actor shared several screenshots as proof, specifying the same terms and conditions as the previous Telus post. A similar threatening comment was left on the post, and another member accused the threat actor of being Telus's current or past employee who accessed development-related information and resources using a VPN.
The circumstances surrounding the sale of Telus’ data on the underground have led to questions about how the information was accessed. Indeed, the company did not characterize the incident as a traditional external breach, supply chain attack, or insider threat. The threat actor did not directly claim they breached the company’s systems, possibly indicating that an insider abused authorized access to the company’s resources.
To reduce the risk of suffering similar attacks, organizations should implement the following best practices:
- Enable multi-factor authentication (MFA) processes to add another layer of security, making it more difficult for cybercriminals to access corporate devices and accounts.
- Instruct employees not to click on links or attachments coming from suspicious emails.
- Limit R&D and financial data access to personnel who require it to perform their jobs.
- Educate staff about insider threats in periodic security training for all employees and immediately respond to suspicious behavior from employees or other internal stakeholders.
- Evaluate the risks of all third-party vendors, contractors, and partners that manage data by monitoring their assets on the Cybersixgill Investigative Portal for a more proactive detection approach.
Cybersixgill automatically aggregates data leaks and alerts customers in real time.