Cyberattacks hit data centres to steal information from global companies

Cyberattacks hit data centres to steal information from global companies

Data centre access credentials have been leaked on the dark web.

Credit: Supplied

Cyberattacks targeting multiple data centres in several regions globally have been observed over the past year and a half, resulting in exfiltration of information pertaining to some of the world's biggest companies and the publishing of access credentials on the dark web, according to cybersecurity company Resecurity.

"Malicious cyber activity targeting data centre organisations creates a significant precedent in the context of supply chain cybersecurity," Resecurity said in a blog post. "Resecurity expects attackers to increase malicious cyber activity related to data centres and their customers."

Resecurity first warned data centres about a malicious campaign to target them in September 2021, with further updates about two other episodes during 2022 and January 2023. 

The goal of the activity was to steal sensitive data from enterprises and government organisations that are customers of the data centres, Resecurity said.

Customer records dumped on dark web 

Most recently, credentials related to data centre organisations and acquired during various episodes of the malicious campaign were published in the underground forum and detected by researchers.  Some fragments of that particular data cache have also been shared by various threat actors on Telegram

Resecurity identified several actors on the dark web, potentially originating from Asia, who during the course of the campaign managed to access customer records and exfiltrate them from one or multiple databases related to specific applications and systems used by several data centre organisations.

In at least one of the cases, initial access was likely gained via a vulnerable helpdesk or ticket management module that was integrated with other applications and systems, which allowed the threat actor to perform a lateral movement.

The threat actor was able to extract a list of CCTV cameras with associated video stream identifiers used to monitor data centre environments, as well as credential information related to data centre IT staff and customers, Resecurity said.

Once the credentials were collected, the actor performed active probing to collect information about representatives of the enterprise customers who manage operations at the data centre, lists of purchased services, and deployed equipment. 

Malicious activity targets client verification data

In September 2021, when the campaign was first observed by Resecurity researchers, the threat actor involved in that episode was able to collect various records from over 2,000 data centre customers, according to Resecurity. 

These included credentials, e-mail, mobile phone, and ID card references, likely to be used for certain client verification mechanisms. (Around January 24, 2023, the affected organisation required customers to change their passwords.)

The actor was also able to compromise one of the internal email accounts used to register visitors, which could then be used for cyberespionage or other malicious purposes, Resecurity said. 

In the second observed instance of the campaign, in 2022, the actor was able to exfiltrate a customer database presumed to contain 1,210 records from a data centre organisation headquartered in Singapore. 

The third episode of the malicious campaign, observed in January this year, involved an organisation in the US that was a client of one of the previously impacted data centres.

"The information about this episode remains limited compared to the 2 previous episodes, but Resecurity was able to collect several credentials used by the IT staff which granted access to the customer portal in another data centre," Resecurity said. 

Then on January 28, data stolen during the campaign was published for sale on an underground community on the dark web called Ramp, which is often used by initial access brokers and ransomware groups. 

“The actor most likely realised his activity could be detected and the value of the data may drop over time, that's why the idea of immediate monetisation was an expected step,” Resecurity said, adding that there may be other reasons for the data dump. 

“Such tactics are often used by nation-state actors to mask their activity, typically to blur the attack motive.”

Asian data centres reported to be hit

While Resecurity did not name the data centre operators that were identified in the attack, Bloomberg — which said it reviewed documents related to the cyberattacks — reports that Shanghai-based GDS Holdings and Singapore-based ST Telemedia Global Data Centres are among the victim organisations.

GDS has acknowledged that a customer support website was breached in 2021, but said that there was no risk to clients IT systems or data, Bloomberg reported. ST Telemedia also said there was no risk to clients.

Organisations identified in the leaked data sets are financial institutions with a global presence as well as investment funds, biomedical research companies, technology vendors, e-commerce sites, cloud services, ISPs and content delivery network companies, according to Resecurity. 

The companies have headquarters in the US, UK, Canada, Australia, Switzerland, New Zealand, and China, according to the researchers. 

Cyberattacks reportedly steal credentials of major companies

On its part, Bloomberg reports that stolen data included credentials of companies including as Alibaba,  Amazon, Apple, BMW, Goldman Sachs, Huawei Technologies, Microsoft, and Walmart.

Resecurity has not identified any known APT groups to be responsible for the attacks. The researchers note that it is possible the victims could be compromised by multiple, different actors. 

Otherwise, the choice of RAMP as a marketplace to offer data offered some leads, Resecurity said. 

RAMP has added support for the Chinese language and welcomed Chinese-speaking hackers to join. 

“The majority of forum sections have Chinese translation, and it is there where we could identify multiple actors originating from China and countries based in South-East Asia,” Resecurity said. 

Information about the malicious activity has been shared with the affected parties and national computer emergency response teams (CERTs) in China and Singapore. 

The research firm also shared information with US law enforcement as there was a significant amount of information related to major Fortune 500 corporations in the data sets. 


Show Comments