AT&T hacker says firm paid nearly $400,000 to have stolen data deleted

AT&T is alleged to have paid a $370,000 ransom to delete the sensitive data stolen by hackers during another major cyber attack linked to cloud service provider Snowflake.

In its SEC filing , AT&T said it believes the attack was carried out between 14 and 15 April, and affected records of customer call and text interactions from a period between 1 May and 31 October 2022, as well as on 2 January 2023.

In a statement published on 12 July, AT&T advised that the phone call and text message records of nearly all of its cellular customers, over 100 million individuals, were illegally downloaded by the threat actor.

The stolen information includes the phone numbers of AT&T wireline customers and other carriers such as Boost Mobile, Cricket Wireless, and Consumer Cellular, as well as those numbers they interacted with and the aggregate call duration for a day or month.

AT&T said the data did not contain the content of the calls or messages, including any personal information such as Social Security numbers, dates of birth, or other personally identifiable information .

Despite this, the details included in the breach could be paired with publicly available information to identify and target the affected customers with social engineering attacks in the future.

This incident marks one the largest breaches of its nature in US history, and due to concerns for national security and public safety, AT&T was granted special permission to delay notifying the public by the US Department of Justice in May and June.

AT&T could be ShinyHunters’ biggest victim yet

The threat actor, reported to be part of the notorious ShinyHunters collective, claimed it had received the ransom payment from the telecom giant, providing the Bitcoin addresses involved in the transaction.

Independent analysis of the receiving address showed a transaction occurred in May which researchers have said fits the description for an extortion payment of this size.

A security researcher who worked as the go-between for the negotiation identified by his online handle, Reddington, confirmed the validity of the transaction to Wired , providing proof of the fee payment, which was allegedly negotiated down from $1 million to nearer $400,000.

Kevin Robertson, COO of Accumen Cyber, warned this development is particularly concerning as it shows large enterprises with vast resources available to them are equally vulnerable to ransomware attacks .

“This is a concerning update from AT&T, and the reports it paid criminals highlights the perilous position businesses find themselves in when their data ends up in the hands of hackers,” he explained.

“Even the massive enterprises see no other option than to pay criminals, it’s not just the small businesses that have to make these dangerous decisions.”

Robertson said he would still advise against paying ransoms, however, as there is no way to be sure the criminals will keep their promise to delete any stolen data .

“But, even despite this, paying criminals to delete data is always inadvisable. There are absolutely no guarantees they will stick to their word, so this doesn’t mean customers of AT&T are now in the clear,” he warned.

“The data compromised could be used to carry out fraud, so anyone who receives a breach notification , must use caution online.”

The deal also required that the threat actor provided a video to prove he deleted the stolen data. Mandiant identified the hacker as UNC5537, known for systematically targeting Snowflake customer instances , and is linked to a number of other security incidents affecting the platform.

Snowflake implicated in yet another major breach

According to Reddington, the threat actor was able to access the data through an inadequately secured cloud storage account hosted by Snowflake.

ITPro approached the cloud data platform firm for clarification on these allegations and received the following response from Brad Jones, CISO at Snowflake :

"We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform. "

Elliott Wilkes, CTO of Advanced Cyber Defence Systems (ACDS), said this latest development only adds to a growing list of cyber attacks linked to the service provider.

"This breach appears to be the result of an attacker exfiltrating AT&T data stored in a Snowflake account, adding over 100m affected customers to an already staggering volume of data leaked from Snowflake accounts. It is possible that the Snowflake attack might end up as one of the largest data breaches to date .”

Wilkes noted the explanation provided by Snowflake’s CISO, Jones, who once again blamed customers failing to protect their databases with multi-factor authentication (MFA).

An overview of how the threat landscape is evolving

“There are conflicting reports as to exactly how these intrusions and data exfiltration happened but the main item in many discussions, including announcements from the Snowflake CISO, is that the affected accounts had their credentials stolen via infostealer malware and their Snowflake accounts were not protected by multi-factor authentication, which would have prevented or at least hampered attempts to illegally access their data.”

Accumen Cyber’s Kevin Robertson added that the recent attacks have pushed Snowflake to adapt its security measures. Earlier this month, the firm outlined changes that allow admins to enforce mandatory MFA on their accounts moving forward.

“More positively, Snowflake has just recently announced an update to its platform where admins can now make MFA for their users. This will provide a significant security boost against incidents like these in the future.”