Cyber Incident Victim: AT&T

On October 27, 2022, the Everest ransomware gang publicly claimed to have compromised AT&T’s corporate network in the United States. The group listed the telecommunications company on its leak site, offering to sell network access. Everest, which cybersecurity researchers associate with Black-Byte ransomware operations, allegedly obtained unauthorized entry into AT&T’s systems. The threat actor’s post coincided with heightened scrutiny of telecommunications providers following T-Mobile’s high-profile data breach earlier that month. AT&T acknowledged investigating the claims but stated it had found no evidence of system compromise at the time of the initial disclosure. This incident followed another unverified claim from the same period, where an actor advertised 70 million AT&T customer records for sale on dark web forums—an allegation the company previously denied by asserting the data did not originate from its infrastructure.

The Everest group employed compromised user credentials and remote desktop protocol (RDP) vulnerabilities for lateral movement within networks, according to analyses by the NCC Group. Their operational pattern centered on double extortion tactics involving both data exfiltration and system encryption. While Everest asserted possession of sensitive AT&T information, no specific datasets were publicly verified as exfiltrated during this incident. AT&T maintained its position that no compromise occurred, contrasting with the ransomware group’s claims. The telecommunications provider did not disclose technical details regarding detection methods, containment procedures, or potential operational impacts beyond its initial statement denying evidence of breach. Historical context shows recurring targeting of major telecom firms by ransomware collectives during this period, though AT&T’s public stance consistently disputed the validity of these particular breach assertions.