top of page

Cyberattacks hit data centers to steal information from global companies

A malicious campaign against data centers stole the access credentials of some of the world's biggest companies — including Amazon, Apple, Goldman Sachs, and Microsoft — according to reports.

Cyberattacks targeting multiple data centers in several regions globally have been observed over the past year and a half, resulting in exfiltration of information pertaining to some of the world's biggest companies and the publishing of access credentials on the dark web, according to cybersecurity company Resecurity.

"Malicious cyber activity targeting data center organizations creates a significant precedent in the context of supply chain cybersecurity," Resecurity said in a blog post. "Resecurity expects attackers to increase malicious cyber activity related to data centers and their customers."

Resecurity did not name the victims, but according to a separate report from Bloomberg, the cyberattacks stole data center credentials from major corporations including Alibaba, Amazon, Apple, BMW, Goldman Sachs, Huawei Technologies, Microsoft, and Walmart. Bloomberg said that it had reviewed Resecurity documents related to the malicious activity.

“Learning | Cyber Forensics |Cyber Security Executive Order | Network Security

Resecurity first warned data centers about a malicious campaign to target them in September 2021, with further updates about two other epsiodes during 2022 and January 2023. The goal of the activity was to steal sensitive data from enterprises and government organizations that are customers of the data centers, Resecurity said.

Customer records dumped on dark web

Most recently, credentials related to data center organizations and acquired during various episodes of the malicious campaign were published in the underground forum and detected by researchers Monday. Some fragments of that particular data cache have also been shared by various threat actors on Telegram.

Resecurity identified several actors on the dark web, potentially originating from Asia, who during the course of the campaign managed to access customer records and exfiltrate them from one or multiple databases related to specific applications and systems used by several data center organizations.

In at least one of the cases, initial access was likely gained via a vulnerable helpdesk or ticket management module that was integrated with other applications and systems, which allowed the threat actor to perform a lateral movement.

The threat actor was able to extract a list of CCTV cameras with associated video stream identifiers used to monitor data center environments, as well as credential information related to data center IT staff and customers, Resecurity said.

Once the credentials were collected, the actor performed active probing to collect information about representatives of the enterprise customers who manage operations at the data center, lists of purchased services, and deployed equipment.

Malicious activity targets client verification data

In September 2021, when the campaign was first observed by Resecurity researchers, the threat actor involved in that episode was able to collect various records from over 2,000 data center customers, according to Resecurity. These included credentials, e-mail, mobile phone, and ID card references, likely to be used for certain client verification mechanisms. (Around January 24, 2023, the affected organization required customers to change their passwords.)

The actor was also able to compromise one of the internal email accounts used to register visitors, which could then be used for cyberespionage or other malicious purposes, Resecurity said.

In the second observed instance of the campaign, in 2022, the actor was able to exfiltrate a customer database presumed to contain 1,210 records from a data center organization headquartered in Singapore.

The third episode of the malicious campaign, observed in January this year, involved an organization in the US that was a client of one of the previously impacted data centers. "The information about this episode remains limited compared to the 2 previous episodes, but Resecurity was able to collect several credentials used by the IT staff which granted access to the customer portal in another data center," Resecurity said.

Then on January 28, data stolen during the campaign was published for sale on an underground community on the dark web called Ramp, which is often used by initial access brokers and ransomware groups.

“The actor most likely realized his activity could be detected and the value of the data may drop over time, that's why the idea of immediate monetization was an expected step,” Resecurity said, adding that there may be other reasons for the data dump. “Such tactics are often used by nation-state actors to mask their activity, typically to blur the attack motive.”

Asian data centers reported to be hit

While Resecurity did not name the data center operators that were identified in the attack, Bloomberg reorterd that Shanghai-based GDS Holdings and Singapore-based ST Telemedia Global Data Centres are among the victim organizations.

GDS has acknowledged that a customer support website was breached in 2021, but said that there was no risk to clients IT systems or data, Bloomberg reported. ST Telemedia also said there was no risk to clients.

Organizations identified in the leaked data sets are financial institutions with a global presence as well as investment funds, biomedical research companies, technology vendors, e-commerce sites, cloud services, ISPs and content delivery network companies, according to Resecurity. The companies have headquarters in the US, UK, Canada, Australia, Switzerland, New Zealand, and China, according to the researchers.

Resecurity has not identified any known APT groups to be responsible for the attacks. The researchers note that it is possible the victims could be compromised by multiple, different actors.

Otherwise, the choice of RAMP as a marketplace to offer data offered some leads, Resecurity said. RAMP has added support for the Chinese language and welcomed Chinese-speaking hackers to join. “The majority of forum sections have Chinese translation, and it is there where we could identify multiple actors originating from China and countries based in South-East Asia,” Resecurity said.

Information about the malicious activity has been shared with the affected parties and national computer emergency response teams (CERTs) in China and Singapore. The research firm also shared information with US law enforcement as there was a significant amount of information related to major Fortune 500 corporations in the data sets.

By Apurva Venkat

Principal Correspondent, CSO

136 views0 comments


bottom of page