Cyber rules on the way to fight Optus hack fraudsters
Optus #Optus
“Optus if you are reading! Price for us to not sale data is 1,000,000$US we give you 1 week to decide,” the post, which demanded the payment be made in the monero cryptocurrency, said.
The Australian Financial Review has seen a sample of the apparent breach data and contacted the user.
While multiple cybersecurity experts say the data might be legitimate, there is no certainty. Hacking forums often post fake claims to trick companies into paying a ransom for data a poster does not have.
The purported hacker reportedly got into Optus’ systems via an unprotected application programming interface – a tool that facilitates communication between apps and services. The user told the Bank Info Security website the API was accessible by any web user and did not require authentication. If the report is true, that would mean Optus had effectively left a door to its virtual data warehouse unlocked.
Others, such as cyber threat intelligence firm Kela and partner Colab82, have theorised that hackers may have recruited Optus employees to facilitate the breach as an inside job.
“[Threat actors] were looking in June and July 2022 for ‘insiders’ of Optus and other companies, to get sensitive information about the company,” it said in an analysis note obtained by the Financial Review.
Kela identified three posters on notable hacking forums that were looking for insiders earlier this year.
It also “found more than 55,000 leaked credentials pertaining to the Optus domain that may be used by threat actors for social engineering campaigns” and “3000 bots containing Optus-related resources – some of which seem to be sensitive portals designated for company personnel” on illicit markets.
Optus confirmed it had had no contact with the hacker, and the hacker had not contacted the telco before the post about the data on the breach forum.
Optus declined to comment on the authenticity of the data sample.
“Given the investigation, Optus will not comment on the legitimacy of customer data claimed to be held by third parties and urges all customers to exercise caution in their online transactions and dealings,” the company said.
“Once again, we apologise. We will provide further updates as new information comes to hand.”
The Financial Review has cross-referenced some of the alleged data with breaches listed on HaveIBeenPwned.com, a site that helps users check if their data has been part of a breach that has been made public.
Of the handful of email addresses from the sample tested by the Financial Review, most appeared to have been part of a previous, unrelated data breach collated on the website. However, some had not, indicating that the data could be legitimate because they were newly exposed addresses. The Financial Review cannot verify whether the data posted is real.
“The data for sale online is of real people. But we need Optus to verify it’s from them,” Internet 2.0 co-chief executive Robert Potter said.
The Australian Federal Police said it was aware of reports the stolen data was being sold “through a number of forums, including the dark web”.
“The AFP is using specialist capability to monitor the dark web and other technologies, and will not hesitate to take action against those who are breaking the law,” a spokeswoman said.
“It is an offence to buy stolen credentials. Those who do face a penalty of up to 10 years’ imprisonment.”