The Australian telco revealed on 20 May 2015 that an unknown hacker had accessed the IT network at its Asian undersea cable and datacentre in early April using a SQL injection attack to inject malware.
The breach took place two weeks before Telstra closed its $697m deal to acquire Pacnet, but Telstra said it was not told of the breach until after the deal’s completion on 16 April 2015, reports the Australian Financial Review.
Telstra said it took immediate steps to remediate the breach after it was notified, including notifying customers that the hackers were able to access Pacnet’s entire corporate network, including email and administrative systems.
Telstra claims the Pacnet corporate network is now secure and there is no evidence that Pacnet's infrastructure networks such as its datacentres and undersea cable network were accessed or breached.
The Australian Cyber Security Centre (ACSC) is working with Telstra to investigate the breach at Pacnet to determine if any government customers are affected by the breach.
Pacnet’s customers reportedly include the Australian Federal Police, the Department of Foreign Affairs and Trade, the New South Wales Government and Austrade.
Telecoms firms interesting to all attackers
Read more about SQL injection attacks
- SQL injection attacks continue to plague enterprises
- The ICO has urged UK organisations to protect their websites against SQL injection attacks
- One of the sneakiest ways for a hacker to invade your system is via a SQL injection attack
- SQL injection (SQLi) attacks have remained unsolved for more than 15 years
Security commentators said telecommunication service providers are interesting to all attackers, including nation state actors, making it even more critical for this sector to be aware of potential risks and vulnerabilities.
"Utilities are major targets for malicious attackers and they need to constantly monitor their security events and regularly scan for vulnerabilities,” said Alex Tok, managing director for the Asia-Pacific region at managed security services provider Proficio.
“Hackers are always on the lookout for creative ways to exploit unpatched SQL vulnerabilities and unfortunately it is not uncommon for these attacks to lead to a data breach,” he said.
Rapid7 global security strategist Trey Ford said that by disclosing the breach, Telstra is doing the right thing in terms of transparency. “Acknowledging a breach is important in protecting relationships,” he said.
However, others have criticised Telstra for waiting more than a month before sending out notifications.
Questions over due diligence process
Group executive at Telstra’s enterprise services division, Brendon Riley, said the company needed to properly understand what happened with the Pacnet network before informing the public, reports the Financial Times.
The breach at Pacnet has also raised questions about the due diligence process undertaken before Telstra’s acquisition of company.
Ford said acquisitions are high-risk operations from a security and technology standpoint. “There really is no way to know everything you have inherited prior to the transaction closing.
“Acquisition due diligence from a security standpoint is usually focused on the existence of security controls and compliance programmes, and I wouldn’t be surprised if we start seeing more focused incident-detection exercises before purchase,” he said.
But Ford added that routine scanning should have detected an SQL injection vulnerability: “Finding and closing internet-exposed vulnerabilities should be a top priority for technology teams.”
Ford also cast some doubt on Telstra’s claims that the breach has been closed and that Pacnet’s network is secure.
“If you don’t know how long an attacker has been in your network or what they have taken, the difficulty of removing an attacker can be enormous,” he said.