Cyber extortion: AT&T agreed to pay hacker about $400,000 to erase stolen sensitive data
A hacker who claims to have stolen sensitive call and text logs from AT&T Inc. revealed
he was paid about $400,000 to erase the data cache.
An examination of a Bitcoin wallet address given by the hacker confirms that he received a transaction in mid-May that analysts said connected with an extortion payment.
A person acquainted with the ransomware discussions, who requested anonymity to talk about confidential matters, verified the payment from AT&T to the hacker.
Whether AT&T employed a mediator to pay hackers wasn't immediately clear.
An AT&T spokesperson refused to comment on whether the corporation paid a ransom to contain the fallout from a hack that possibly
exposed a large cache of call and text logs from almost all its wireless customers during a six-month period in 2022.
The
Federal Bureau of Investigation and
Department of Justice (DOJ) also refused to comment on the alleged payment.
The range and details of data, along with some location information, present national security risks, with some experts citing that the size of the alleged ransom payment seemed remarkably low in comparison with other current prominent extortion events.
The breach also is one of many compromises connected to a security incident at the data analysis software provider Snowflake Inc., and that corporation continues to cope with the reputational effect of the matter.
The hacker stated he was giving the information — and an almost seven-minute video that he alleges proved he deleted the data — to try to show that he had fulfilled his deal with AT&T.
The person also said that other hackers were employed in the attack.
Bloomberg was unable to confirm the authenticity of the video, and the hackers' allegation that other attackers were tied to the incident.
AT&T stated it didn't believe that the stolen call and text logs had been made public.
Chainalysis Inc., at
Bloomberg's request, investigated the record of payment given by the hacker and compared it to information on the blockchain, a publicly available ledger of cryptocurrency transactions.
The corporation said it seemed to be an extortion payment in which someone deposited Bitcoin, valued at about $380,000 at the time, into the digital wallet identified by the hacker.
Chainalysis said a smaller amount was then moved from that wallet into another one belonging to a known hacker, who the company refused to identify. Chainalysis said it couldn't establish if the original Bitcoin payment was made by AT&T.
The transaction happened at a time when AT&T was cooperating with federal law enforcement officials to deal with the breach and defer making information about it public amidst national security and public safety concerns.
With the approval of the DOJ, the corporation postponed disclosure twice — on May 9 and on June 5.
Alleged payment is low compared with other ransom demands and payments
The alleged payment is somewhat low when compared with ransom demands — and payments — for other recent well-known data breaches.
For example,
Colonial Pipeline Co. paid a hacking group $4.4 million after a ransomware attack in 2021 forced it to close down its pipeline, blocking gas supplies on the East Coast, while UnitedHealth Group Inc. made a $22 million payment to a cybercrime group after a February breach of its subsidiary, Change Healthcare.
"For a big company like AT&T, $380,000 is a drop in the ocean," said Jon DiMaggio, chief security strategist at Analyst1. (Related:
AT&T’s MASSIVE data breach affects 73 MILLION previous and current customers.)
DiMaggio said the comparatively small ransom payment could be because there were no financial records accessed by the hacker.
The hacker said he didn't think the information he had stolen from AT&T was profitable or know who might be interested in buying it.
A Snowflake representative said the hack of AT&T records was part of a bigger campaign the corporation revealed last month, where attackers had employed stolen login details to access as many as 165 of its customers.
AT&T, in a filing with the
Securities and Exchange Commission, said it believes the attack was conducted between April 14 and 15, and
affected records of customer call and text interactions from a period between May 1 and Oct. 31, 2022, in addition to Jan. 2, 2023.
In a statement released on July 12, AT&T informed that the phone call and text message records of almost all of its cellular customers – over 100 million individuals – were illegally downloaded by the threat actor.
The stolen information includes the phone numbers of AT&T wireline customers and other carriers like Boost Mobile, Cricket Wireless and Consumer Cellular, along with those numbers they interacted with and the aggregate call duration for a day or month.
Follow
CyberWar.news for more stories about hackers launching cyberattacks.
Watch the video below about the massive breach of nearly all of AT&T customers' call and text records.
This video is from the
Children Are NOT Sex Toys! channel on Brighteon.com.
More related stories:
HACKING THE HACKERS: FBI, law enforcement agencies from 11 other countries shut down ransomware websites of notorious cybercriminal group.
Software provider CDK Global HACKED, paralyzing over 15,000 car dealerships across America.
Hackers leak stolen medical records on dark web after Australian health insurer refuses to pay ransom demand.
WhatsApp HACKED: Nearly 500 million phone numbers from 84 countries and territories put up for sale.
Sources include:
BNNBloomberg.ca
ITPro.com
Brighteon.com