Telstra Corp. said hackers left government data vulnerable to theft by stealing passwords in an attack on its Pacnet unit before the Australia-based carrier completed an acquisition of the undersea cable network April 16.
Pacnet customers including the Australian Federal Police and other government agencies were left exposed by the breach, Mike Burgess, Telstra’s chief information security officer, told a media call Wednesday. The security issue with Pacnet’s corporate network was addressed April 3, he said. He declined to say which government, or governments, were affected.
“We haven’t uncovered anything untoward, but I think we have to be very open that that is a possibility,” Brendon Riley, Telstra’s group executive for global enterprise and services, said on the call.
Pacnet owns the 36,800-kilometer (22,871-mile) EAC-C2C cable network connecting Hong Kong, China, Korea, Japan, Taiwan, the Philippines and Singapore. It also runs the 9,620-kilometer EAC Pacific cable from Japan to California.
The security breach was an SQL injection, Burgess said on the call Wednesday, referring to a type of attack which breaks into online databases by typing programming commands into online forms such as login pages.
“It’s not an uncommon attack, this attack has been around for at least a decade,” Wade Alcorn, a cybersecurity expert and founder of security consultancy Alcorn Group, said by phone from Brisbane. The hackers were probably “trying to get a good beachhead into the infrastructure so that they could get further into the organization.”
Perpetrators of such attacks range from solo so-called “script kiddie” hackers to organized crime networks, “hacktivists” such as Anonymous, and nation states, he said. “It could have been basically a small issue that a script kiddie’s picked up, or it could have been something a lot bigger and a lot more planned.”
Telstra was told about it shortly after the acquisition was finalized and the carrier sent an investigation team to Hong Kong, Burgess wrote in a blog post.
They found a third party had gained access to Pacnet’s corporate network through a vulnerability “that enabled malicious software to be uploaded to the network and ultimately led to the theft of admin and user credentials,” Burgess wrote.
Pacnet’s corporate IT network isn’t connected to Telstra’s own network and the company hadn’t been contacted by the perpetrators or given a reason for the breach, Riley said.
“It is clear that they had access, complete access, to the corporate network,” Riley said on the call. There’s no evidence at this stage that the usernames and passwords were used to obtain further confidential data, Burgess said.
Telstra’s shares briefly touched a four-day low of A$6.09 in Sydney trading after the announcement, before recovering to close unchanged at A$6.13.
“No secure or classified material has been compromised,” a spokeswoman for the Australian Federal Police said by e-mail.