🚨 The Telus Hack – ShinyHunters Strikes a Telecom Giant 🚨

Show Notes

A massive breach has shaken the telecom world. 

In this episode of the #SOCBrief, we break down the alleged TELUS hack claimed by the ShinyHunters threat group, what data may have been stolen, and why the potential exfiltration of massive datasets could have far-reaching consequences for organizations worldwide. From OAuth tokens and API keys to customer PII and enterprise systems, we explore how attacks like this unfold and what organizations should be on the lookout.

🎧 Tune in now at secureafpodcast.com

Watch full episodes at youtube.com/@aliascybersecurity.
Listen on Apple Podcasts, Spotify and anywhere you get your podcasts.

Transcript

SPEAKER_00 0:02

Good morning, good afternoon, or good evening, whenever you may be, and welcome to another episode of the SOC Brief. This is your go-to podcast for staying ahead of the ever-evolving world of cybersecurity threats. I'm your host, Andrew, and today we're doing a deep dive into a major breach that's making some waves today. And that's the recent TELUS hack claimed by the Shiny Hunters Group. So to set the stage a little bit, TELUS is a massive Canadian telecom company, and they're one of the big three up north. They provide mobile, internet, and TV and health services to millions of customers, plus enterprise solutions like cloud and cybersecurity for businesses. They're a big player in North American digital infrastructure, and they handle everything from customer data to critical communication networks. On the flip side, we have Shining Hunters, which is a threat actor group that's been active since 2020. They're known for some pretty high-profile data breaches and leaks. They're not your typical ransomware group. They tend to focus on stealing massive troves of sensitive info. Think of like logins, PII, source code, things like that, and selling it or dumping it on the dark web for profit or just clout. They've hit AT ⁇ T, Ticketmaster, and Sandander with X fills in the billions of records in the past. So joining me to uh discuss all this is my colleague Tanner. He is our principal security engineer here at Alias. And uh Tanner, thanks for hopping on.

SPEAKER_01 1:38

Yeah, thanks for having me. Yeah, I think you pretty much hit the nail on the head with uh with Shiny Hunters. They're not as much of the typical attack and encrypt as a lot of the more old school. They go for uh big targets, pretty big fish generally, and they're just data breach and extortion all the way. Um, you know, compromise the companies, steal their database, sell it on forums, or pressure the victim with the data so they don't release it. Uh we started seeing them back in 2020, and they came on to kind of the the attacker scene uh pretty in a pretty big way. Like you mentioned a lot of the ones they had hit. Um Tokopedia was the first big one now I remember seeing. It was 90 million user records that were stolen. Um, they hit, you know, watchpad minted, Bombos, chat books, all kinds of giant ones. Um, and it seemed like they uh they were all linked back to the their Salesforce environment. Or it was later thought to be that they had uh been using Salesforce as a uh a platform to go through, which was novel to say the least. Uh and like you said, the the new telus breach is um is pretty alarming to me. And uh uh I guess one thing to mention also, if you want to do more reading about shiny hunters, uh Google Threat Intelligence has labeled them UNC 6395. Um, so you can find a lot of their stuff about that. Um, so the the the TELUS hack is uh is pretty pretty wild to me. Uh there is a ton of data stolen from that.

SPEAKER_00 3:12

They're claiming I was just gonna say, let's talk about uh the uh what we know about the breach so far. Uh how much uh data have they claimed to have exfiltrated?

SPEAKER_01 3:24

So there is a there is a torrent out there and it has a petabyte of data in a tar G Z. Um whether some of that data is filler, it's all real. I don't think anybody's really had time to go through a petabyte yet, but people have confirmed there is there is legit data in it through people who have allegedly uh downloaded and commented on it on forums. Personally, I don't know that I have the uh the time to wait for a petabyte download or you know, care to have that much PII, that's probably not legal to have. Um, but it's uh it's quite a bit. I can tell you the things that they are are claiming is in it. So they said they have uh old they and they they post snippets, right? So they post screenshots, sections, things like that. And they have pretty common. That's that's clear, but as far as the actual full data, we don't really fully know. So they have employee full legal name, employee national ID, andor social security numbers, uh, teles hash passwords, API keys, and OAuth tokens, allegedly lots of them. Uh call record details, which I guess that was being kept, uh, call metadata, uh HR records, telecom customer PII, such as first name, last name, and address for effectively all customers, Salesforce accounts, contacts, leads, and records. So anybody that they were working with on the sales side, um, financial records, including ACH routing numbers, GitHub repository access for 20 adjacent organizations. So 20 other companies have now had their source code breached uh that are not TELUS because they had access to push to them. Um customer and agent call records in waveforms. So they had lots of other, you know, probably kind of the same things that you have in any other call center training data, things like that. Um 14,000 plus customer database instances all containing PII. I don't know what that means. Um that could be extremely bad. It could be I I don't know why they have 14,000 customer databases, uh, but that's that's a thing. Uh Glean tell us background check files. Uh so this is FBI, RCMP, and CISA background checks. So if you think about that, shiny hunters now has access to background checks for a lot of people. That's yeah, probably not it's probably not ideal for people who are known for extorting people. Yeah. Um Glean tell us confidential reports on investigations, glean tell us confidential reports on tax filings. Um just look for Glean. Just look for Glean. You'll you you'll see this. It goes, it goes for it goes for a while. Um, so it's 230 million companies across the globe that are affected by the breach from TELS being being breached.

SPEAKER_00 6:30

Man, that's a lot. Um, and then a couple, you know, some of the most critical things that that you listed there, I think like the OAuth tokens, um, how they can kind of use that just uh to move into other companies, possibly, uh, or other environments.

SPEAKER_01 6:48

And that's the MO. Is is they whenever they they've they've breached things in the past, they've used it to pivot to other companies. And we already know they got source code of a bunch of other companies, they got you know databases of other companies, they have OAuth, they have API keys. So that's the the the biggest part to me as well. I completely agree on that, is we don't know what's gonna what's gonna come next from this, but I can assure you that it will be something. And if I was a member of a company in that, I would be concerned. But we also have to mention this is alleged claim data from a threat actor. Um we haven't seen this, so it's totally possible that anything outside of the screenshots that we have seen is just a fabricated lie. I have reason to believe it's not, but it could be.

SPEAKER_00 7:35

Yeah. Yeah, for sure. I mean, you know, all these groups like to chase clout and um, you know, having that much of having that much data uh stolen from you is um it's absolutely wild. From a sock pers perspective, my first thought is um, how is that not seen? How is that not detected, right? Or was it was it were were those alerts ignored? I just have so many questions on that because that is a lot of data.

SPEAKER_01 8:08

Um I don't know how you could exfiltrate a petabyte of data and not get detected unless they just did it slow for a really long time and they have a very high bandwidth going through. I mean, they're a telco, I'm sure it's a lot of bandwidth, but that's a lot of data. That's that's this is the biggest breach anyone's ever seen if they've the data amount is true.

SPEAKER_00 8:29

Yeah, kind of curious on what that dwell time is gonna look like for them, you know, how long were they in there? Um obviously, you know, if they they were if they did exfiltrate that much data that uh, you know, they had to have hit uh a port with a lot of bandwidth or you know, maybe a lag somewhere, and they just, you know, how long did it take? Was it hours? Was it days? You know, was it all in one shot? Was it over time? Yeah, just so many questions. It's super interesting, but um definitely scary to think about like if they truly did get that much data, what all is in there and how they're going to utilize that to continue their attacks. Um like he's like you mentioned, that's that's shiny hunters mo. Um, I mean, and that kind of brings us into like how this uh how this could have transpired in the first place. Like, how do they get into to tell us? Um, I think there was some um alleged statements by Shiny Hunters on how they do it or how they did it. Are they are you familiar with that at all?

SPEAKER_01 9:33

Yeah, uh claims, right? And we're we're talking about uh you know claims going off crime forms at this point, but they've said in a in some comments that they were able to access the the GCP credentials that were stolen during a prior breach. So again, talking about their and uh it was uh Salesforce drift. Um so they made it into their Google Cloud platform at that point, and then just pivoted and moved laterally using their uh their own systems and you know using things. Uh it's known that they use Truffle Hog, uh, which is a tool that I also use on my my red teaming side of things. Um yeah, so lots of lots of data they got from that.

SPEAKER_00 10:11

Yeah, absolutely. All right, man. Well, thanks for uh dropping in and uh providing all these details and the information. And uh just kind of a reminder for everyone listening, uh, this Shiny Hunters hack is just a reminder that like data X fills, they can hit hard uh and they can hit fast, uh especially in critical sectors like telecom and for companies that have a lot of reach uh within other environments and other companies, it can be especially brutal. Um any closing thoughts for us, Tanner?

SPEAKER_01 10:43

I think we uh we pretty much covered it all. Just uh keep an eye to the to the news if you are part of a large company that does business with TELUS.

SPEAKER_00 10:52

Yeah, absolutely. Uh absolutely all right. Um, that's a wrap for this episode of the Sock Brief. If uh anyone has questions or uh has their own experience with shining hunters, uh reach out to us, hit us up on social media or via our website. And as always, keep your eyes open, keep sharpening those skills, and we'll talk soon. Stay secure out there. Bye.