Asian Data Center Outsourcer Hacks Affect Fortune 500 FirmsAttackers Probed Data in Services Systems in Possible Cyberespionage Campaign
Threat actors actively targeting multinational clients of data center outsourcers and help desk providers in China and Singapore are posting stolen credentials for sale on data leak sites, and cybersecurity firm Resecurity says these actions could be part of a nation-state cyberespionage campaign.
Resecurity in January detected threat actors posting the stolen credentials on Breached.to, an underground forum believed to be the successor of the now-defunct RaidForums.
The threat actors gained initial access to several data center outsourcers' networks by exploiting vulnerabilities in applications and systems such as customer service portals, help desks or ticket management modules that integrate with other applications and systems commonly used to service their data center clients.
Resecurity observed the threat actors moving laterally inside compromised networks and exfiltrating a variety of records associated with their clients worldwide, including a significant number of Fortune 500 corporations.
In one such attack - on GDS Holdings, which provides data center colocation and managed services in China - threat actors extracted a list of CCTV cameras with associated video stream identifiers used to monitor data center environments, along with credentials associated with data center operators, IT staff and customers. The attackers used these credentials to obtain a list of purchased services and deployed equipment and collected data associated with client-side personnel who manage operations at the data center.
The threat actors also probed the data center's network for information about the Remote Hands Service feature that enables customer organizations to remotely manage and troubleshoot their servers. They also snared credentials, email addresses, cellphone and ID card data, possibly used for client verification, and compromised an internal email account used to register visitors. These data records gave the hackers precise information about the company's customers and the staff responsible for data center operations on the client side.
The threat actors also targeted ST Telemedia Global Data Centers, a data center firm headquartered in Singapore that offers data colocation, connectivity, hosting and cloud storage services. According to Resecurity, the actors presumably gained initial access through a compromised customer service portal or ticket management system and stole a customer database containing 1,210 records. Further attempts by the threat actors to probe the network were possibly detected and blocked by the company.
Possible Espionage Campaign?
Resecurity says its researchers started detecting attacks on data center companies in September 2021, and in January 2023 they observed further attempts to access customer portals of 10 different organizations, some of which were based in India. The firm believes the recent access attempts may be related to prior attacks in 2021 and found that some of the freshly targeted organizations previously had used the data centers for disaster recovery or active operations.
The threat actors on Jan. 28 published data stolen from data centers on RAMP, a dark web community frequented by initial access brokers and ransomware groups. Resecurity believes the data auction was trigger by the Chinese data center company performing a forced password change, making the hackers believe they had little time to monetize the stolen data, or that nation-state cyberespionage actors posted the data for sale to hide their true motives for stealing the data.
"We do believe that this information may be extremely valuable for cyberespionage and nation-state groups," Resecurity says.
Resecurity didn’t come across evidence of APT involvement in the campaign but said the targeted organizations are based in China, Taiwan, Singapore, Thailand, Vietnam, Brunei and Malaysia. These companies handle data for investment funds, biomedical research companies, technology vendors, e-commerce and online marketplaces.
Data Centers Deny Effect on Critical Operations
STT GDC, in a reply to a Bloomberg story about Resecurity's research, said that its data center environment was "fully operational and secure" and any purported stolen user credentials for its customer service portals did not pose risks to its data centers or customer IT systems or data.
"STT GDC's customer service portals are cloud-based SaaS applications hosted with third parties and have absolutely no logical or physical connection to our data center infrastructure or any customer IT equipment," STT GDC says in the statement about the Bloomberg article. "These applications are primarily used by customers to initiate a service request. By design, these customer service portals do not contain any personal or business-critical data."
GDS Holdings, the China-based data center company, says the cybersecurity incident did not affect its customers' IT operations. “The application which was targeted by hackers is limited in scope and information to noncritical service functions, such as making ticketing requests, scheduling physical delivery of equipment and reviewing maintenance reports.
"Requests made through the application typically require offline follow-up and confirmation. Given the basic nature of the application, the breach did not result in any threat to our customers' IT operations," it said.
Resecurity believes otherwise. The firm told Information Security Media Group that though a customer service portal has no physical connection with the data center, it obviously enables customers to manage their equipment, services and operations.
"Compromise of such a system allows the bad actors to collect critical information about key operators using that data center and possible additional information about them. The knowledge about the IT staff managing data center operations is one of the key targets for any experienced bad actors," Resecurity says.
The security firm said the threat does not directly affect data center security, but it did expose the identities of the end users - such as data center administrators, managers, technicians and other IT staff of numerous Fortune 500 companies. Threat actors tried to increase their chances of success by targeting help desk systems, ticket management and support portals, visitors' management systems, remote management and device monitoring solutions, server management software, and email accounts belonging to data center IT staff and their customers.
Resecurity expects the targeting of data centers and their customers to increase and advises network defenders to evaluate proper measures to mitigate attacks against IT and OT environments. "Data breaches related to supply chain cybersecurity remain significant to public interest due to the involvement of advanced threat actors, including nation-states and sophisticated cybercriminal and espionage groups," it says.
The firm also recommends that data center services firms inform each other of any possible cybersecurity incidents that may involve client accounts and related data.