Cyber Incident Victim: Virgin Mobile KSA
Date:
Jul 2020
Location:
Saudi Arabia
Summary
Hackers compromised Virgin Mobile KSA's office network, gaining access to its email system and an Active Directory domain controller, exfiltrating internal employee communications, customer activation reports, dealer login activity, and account manager performance data. The attackers offered stolen credentials—including usernames, employee names, email addresses, and password change logs—for sale on dark web forums. The intrusion exploited a Microsoft Exchange vulnerability, enabling persistent access for months, during which adversaries extracted password hashes via ADRecon, deployed PowerShell-based malware, and implanted web shells for continued network access. The company stated no customer data was breached and remediated the incident after external researchers alerted them, attributing the breach to an unpatched Exchange flaw.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In July 2020, hackers breached Virgin Mobile KSA's office network, compromising its email system and an Active Directory domain controller. The attackers exfiltrated internal employee emails, reports on new customer activations, dealer login activity, account manager performance spreadsheets, and a list of over 1,000 employee accounts containing usernames, names, email addresses, and password change timestamps. Security researchers identified the stolen data being offered for sale on private dark web forums and alerted Virgin Mobile KSA, which secured its network by September 18, 2020. The company attributed the intrusion to an unpatched Microsoft Exchange vulnerability (CVE-2020-0688), which Microsoft had addressed with a February 11, 2020 patch. Timestamps indicated data theft occurred on July 7, suggesting attackers maintained network access for at least two months. Independent analysis by data breach expert Troy Hunt confirmed the stolen data's credibility based on attributes inaccessible outside Virgin Mobile KSA's private network. The company stated no customer data was compromised and emphasized its status as a mobile virtual network operator using Saudi Telecom Company's infrastructure, which was unaffected.
Attackers exploited CVE-2020-0688, a cryptographic key flaw in Microsoft Exchange, to gain initial access before moving laterally to compromise the Active Directory domain controller. They used the open-source tool ADRecon to extract Active Directory data encompassing 387 hosts, including Windows 10 Pro, Windows 7, and Windows Server 2008/2012 systems primarily used by office employees. The NTDS file containing NTLM and LM password hashes for all domain users was stolen, enabling potential credential cracking attempts. Attackers deployed PowerShell-based malware and planted a web shell within the Outlook Web Access directory to maintain persistent access. Forensic evidence linked one attacker IP address to activity previously associated with APT35 (Cobalt Gypsy/Charming Kitten), though investigators cautioned against definitive attribution based on a single indicator. The incident formed part of a broader regional campaign targeting Middle Eastern energy, government, technology, and financial entities, with attackers potentially monetizing excess data after achieving primary objectives. Virgin Mobile KSA conducted internal probes to identify residual vulnerabilities but declined to disclose specific breach timelines or detailed forensic findings.