Cyber Incident Victim: Tonga Communications Corporation
Date:
Feb 2023
Location:
Tonga
Summary
A state-owned telecommunications provider in Tonga was targeted in a ransomware attack claimed by the Medusa group, disrupting administrative systems without impacting core voice and internet services. The incident slowed customer-facing operations including new connections, billing, and support management, while the company collaborated with security firms to mitigate effects. As the dominant telecom operator controlling all fixed-line services and majority broadband market share alongside significant mobile operations, the compromise followed Medusa’s typical Ransomware-as-a-Service model exploiting Remote Desktop Protocol vulnerabilities. This attack mirrored recent ransomware disruptions affecting government infrastructure in other Pacific Island nations like Vanuatu and Guadeloupe, where critical public services including healthcare and law enforcement experienced prolonged outages.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On February 13, 2023, Tonga Communications Corporation (TCC), a state-owned telecommunications provider serving approximately 100,000 residents across 171 Polynesian islands, publicly confirmed a ransomware attack impacting its systems. The company announced via Facebook that the incident resulted in the encryption and lockdown of portions of its administrative infrastructure, potentially delaying new customer connections, billing processes, and inquiry resolution. Core voice and internet services remained operational, preserving connectivity for most subscribers. TCC, which maintains a 70% market share in broadband and dial-up internet along with all fixed telephone lines and approximately half of mobile services through its UCall subsidiary, engaged external cybersecurity firms to mitigate the attack’s effects. The company emphasized business continuity despite operational disruptions affecting back-office functions, reflecting its role as one of only two telecom providers in the archipelago nation with over 300 employees managing critical communications infrastructure.
Cybersecurity analyst Dominic Alvieri attributed the attack to the Medusa ransomware group based on their public claim of responsibility. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) had previously documented Medusa’s ransomware-as-a-service model, noting affiliates received 60% of ransom payments while operators retained the remainder. Historical attack patterns indicated exploitation of Remote Desktop Protocol (RDP) vulnerabilities for network infiltration, followed by system-wide encryption and placement of ransom instructions within affected directories. This incident followed other ransomware attacks against Pacific Island governments, including November 2022 disruptions in Guadeloupe and a prior attack on Vanuatu—located approximately two hours by air from Tonga—which paralyzed parliamentary operations, law enforcement systems, and healthcare infrastructure. The pattern underscored regional targeting of smaller island nations with limited cybersecurity resources, though TCC did not disclose whether ransom demands were received or paid during their remediation efforts.