Cyber Incident Victim: A1 Telekom
Date:
Nov 2019
Location:
Austria
Summary
A1 Telekom, Austria's largest ISP, experienced a malware breach initially detected weeks after infection, leading to a prolonged, months-long remediation effort as attackers manually expanded access within the network. The intruders compromised databases and executed queries to map internal systems, with conflicting reports on data exposure—the company asserted no sensitive customer information was accessed, while a whistleblower alleged extraction of specific customer details like phone numbers and locations. Attribution by the whistleblower pointed to a Chinese state-linked group targeting telecom providers, though the victim declined to confirm this. Following the attackers' removal, the company enforced password resets for all employees and servers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
A1 Telekom Austria, the country's largest internet service provider, experienced a malware infection on its office network in November 2019. The company's security team detected the intrusion one month later in December but faced significant challenges in fully eradicating the threat. For the next six months, from December 2019 through May 2020, A1 engaged in an extended containment effort against persistent attackers who maintained manual control over compromised systems. The intruders leveraged their initial access to attempt lateral movement across A1's extensive infrastructure, which included more than 15,000 workstations, 12,000 servers, and thousands of applications. During this period, attackers successfully compromised certain databases and executed targeted queries designed to map the organization's complex network architecture. A1 officials stated the inherent complexity of their systems—particularly the intricate relationships between thousands of databases—hindered the attackers' ability to achieve broader network penetration.
The incident concluded on May 22, 2020, when A1 successfully expelled the threat actors from its environment. In response, the company implemented comprehensive credential resets for all 8,000+ employees and rotated passwords and access keys across all servers. While A1 maintained that no sensitive customer data was exfiltrated during the six-month compromise, a whistleblower contradicted this assertion by claiming attackers performed specific database queries targeting customer location data, phone numbers, and other private information, allegedly downloading "massive amounts" of customer records. Security researcher Christian Haschek reported the whistleblower attributed the attack to Gallium, a Chinese state-sponsored group identified by Microsoft as specializing in telecommunications sector intrusions. A1 declined to confirm or comment on this attribution assessment. The company's public statements emphasized the containment of the breach to office network systems rather than core telecommunications infrastructure.