New Telstra acquisition had already been hacked

Telstra has advised customers, staff, regulators and the Australian Federal Police (AFP) that its Asian-based data centre and undersea cable operator Pacnet has had a security breach.

The breach is reported by Telstra to have occurred before it took control of Singapore and Hong Kong based-Pacnet in a £450 million deal finalised on April 16, and although there is reportedly no evidence of any data taken, theft of customer data remains a possibility. 

Pacnet provides connectivity, managed services and data centre services to carriers, multinational corporations, governments and law enforcement agencies in the Asia-Pacific region and the deal increases Telstra's exposure to China's growing network management industry.

“We have not been able to tell from forensic information or system logs what has been taken from the network. But … it is clear that they had complete access to the corporate network and that's why we are telling customers,” Telstra chief security officer Mike Burgess told The Australian newspaper.

The attack was on the corporate IT network of Pacnet, which contains the email and other business management systems for the division.

An SQL vulnerability enabled malicious software to be uploaded to the network and led to the theft of administration and user credentials.

Group executive of global enterprise services Brendon Riley was reported by The Age as saying that Telstra had taken immediate action to protect the security of the network once it was informed of the breach. It has addressed the security vulnerability and removed all known malicious software as well as installing additional monitoring and incident response capabilities. Riley said the Pacnet corporate IT network is not connected to the Telstra network and there was no evidence of any breach of Telstra's network.

The AFP issued a statement saying: "The AFP has been advised that the breach was confined to the business operating network of PACNET, therefore it is assessed that no secure or classified material has been compromised,"

Burgess told Reuters: "While we will look into who was behind the breach we may never know as attribution is very difficult. We have not had any contact from the perpetrators nor do we know the reason behind this activity." The South China Morning Post reported in June 2013 that computers at the Hong Kong headquarters of Pacnet were "hacked by US spies in 2009".

In an email to SC, Trey Ford, Global Security Strategist at Rapid7 commented:  “I feel bad for Telstra, it's like watching someone get in a car accident right after buying a new car. By disclosing the breach, they're really doing the right thing in terms of transparency -- acknowledging a breach is important in protecting relationships.

“Acquisitions, from a security and technology standpoint, are high risk operations. There really is no way to know everything you have inherited prior to the transaction closing. Acquisition due diligence from a security standpoint is usually focused on the existence of security controls and compliance programmes, and I wouldn't be surprised if we start seeing more focused incident detection exercises before purchase. That said, routine scanning should have detected an SQL injection vulnerability – and finding and closing internet exposed vulnerabilities should be top priority technology teams.

“There are still questions around whether the incident has been closed. If you don't know how long an attacker has been in your network or what they have taken, the difficulty of removing the attacker(s) can be enormous. To be clear -- telecom service providers are interesting to all attackers, including nation state actors, making it even more critical for this sector to be aware of potential risks and vulnerabilities.”