Singtel-owned IT services provider Dialog hit by Windows ransomware
It appears to be raining data breaches at properties belonging to Singapore’s multinational telecommunications conglomerate Singtel, with the telco announcing on Monday that there had been an intrusion into its Australia-based IT services provider Dialog.
Security sources have told iTWire that the attack on Dialog was carried out using the Agenda ransomware that runs only on Windows systems.
This is the second breach in recent days to affect Singtel’s properties. On 22 September, Optus, Australia’s second biggest telco which is also owned by the Singapore firm, announced a massive breach that was initially said to affect nearly 10 million customers.
On Monday morning, data stolen from Singtel on 20 January last year, during an attack through a file-sharing system from Accellion that was close to end-of-life at the time, surfaced on a forum on the clear Web.
Among Dialog’s customers in Australia are the NSW Electoral Commission, the Department of Human Services, Queensland Health, Virgin Australia, NAB, Suncorp, Alfred Health, University of Tasmania, and Rio Tinto. The company was bought by Singtel in April for $325 million and employs more than a thousand IT specialists.
News of the Dialog breach surfaced in a story from British news agency Reuters on Monday. iTWire had inquired twice from Dialog — once last week and again on Monday morning — about a possible breach, but did not receive a reply.
The announcement on the dark web about the Dialog breach.
Dialog has no media contact addresses on its site, only a sales email address and a Web form for making contact.
The group behind the attack announced it on the dark web on 19 September.
Agenda is relatively new and was discovered by Japanese security firm Trend Micro. In a blog post about the malware on 25 August, researchers Mohamed Fahmy, Nathaniel Gregory Ragasa, Earle Maui Earnshaw, Bahaa Yamany, Jeffrey Francis Bonaobra and Jay Yaneza wrote:
“Our investigation revealed that the new ransomware in question targeted enterprises in Asia and Africa. Based on dark web posts by a user named ‘Qilin’ (who seems to be connected to the ransomware distributors) and through ransom notes, the ransomware is called ‘Agenda’.
“Agenda can reboot systems in safe mode, attempts to stop many server-specific processes and services, and has multiple modes to run. The samples of the ransomware that we collected were customised for each victim, and they included unique company IDs and leaked account details.
“All collected samples were 64-bit Windows PE (Portable Executable) files written in Go, and they were aimed at Windows-based systems.
“The group distributing the malware was targeting healthcare and education organisations in Indonesia, Saudi Arabia, South Africa, and Thailand. Every ransomware sample was customised for the intended victim.
“Our investigation showed that the samples had leaked accounts, customer passwords, and unique company IDs used as extensions of encrypted files.”
The Trend Micro team added: “We believe that Qilin (or the Agenda ransomware group) offers affiliates options to customise configurable binary payloads for each victim, including details such as company ID, RSA key, and processes and services to kill before the data encryption.
“Also, the ransom amount requested is different per company, ranging from US$50,000 (A$79,043) to US$800,000.”
Some of Dialog’s clients. Screenshot from the Dialog website
In a statement sent by Dialog at 5pm AEDT on Monday, the company said:
“The Dialog Group (Dialog) today confirmed that the company has experienced a cyber-security incident in which an unauthorised third party may have accessed company data, potentially affecting fewer than 20 clients and 1000 current Dialog employees as well as former employees.
“Dialog has notified the relevant authorities and is supporting those who may be impacted to protect against the risk of fraudulent activity.
“On Saturday 10 September 2022, Dialog detected unauthorised access on our servers, which were then shut down as a preventative measure. Within two business days, our servers were restored and fully operational.
“We contracted a leading cyber security specialist to work with our IT team to undertake a deep forensic investigation and continuous monitoring of the Dark Web. Our ongoing investigations showed no evidence of unauthorised downloading of data.
“On Friday 7 October 2022 we became aware that a very small sample of Dialog’s data, including some employee personal information, was published on the dark web.
“We are doing our utmost to address the situation and, as a precaution, we are actively engaging with potentially impacted stakeholders to share information, support and advice.”