Breach Response , Cybersecurity , Data Breach

Hackers Breach Canadian ISP Rogers

Data Theft Traces to Social Engineering Attack
Hackers Breach Canadian ISP Rogers

Canadian Internet service provider Rogers Communications has confirmed that information about the company and its customers was leaked after attackers successfully targeted one of its employees via a social engineering attack.

See Also: Hide & Sneak: Defeat Threat Actors Lurking within Your SSL Traffic

News of the purported attack first surfaced March 1, when a group calling itself TeamHans tweeted that Rogers had been "0wned by TeamHans." The tweet linked to a dump of allegedly stolen data - in a 456 MB Tar, a.k.a. "tarball," archive file - hosted on the "teamhans.tv" website. A whois search on that domain name reveals that it was first registered the same day.

A representative of TeamHans, reached via email, tells Information Security Media Group that the hackers released the data after an employee whom they had targeted for extortion refused to pay them the bitcoins they were demanding.

Toronto-based Rogers - one of Canada's largest ISPs, which also provides phone, wireless Internet, and movie- and TV-streaming services - did not respond to multiple requests for comment. But Rogers spokeswoman Patricia Trott confirmed to The Globe and Mail that a "third party" accessed a "single email address of one of our enterprise sales employees, who managed a small number of medium business accounts." The newspaper reports that the leaked data includes emails as well as contracts that appear to be related to between 50 and 70 medium-size businesses whose accounts were managed by the targeted Rogers employee.

Trott attributed the breach, which occurred the last week of February, to "human error (not system error)." She said the organizations whose information was leaked have been alerted, and unspecified "additional security procedures" put in place by the ISP. "As soon as we discovered the situation, we took all the necessary steps to secure our systems," she added, noting that all affected organizations are located in the Toronto area, and that the company is working with police to investigate the intrusion. She added that "no personal details" were exposed by the breach.

Employee Targeted for Extortion

The allegedly leaked data includes a copy of an email - organized into a folder called "emails you aren't supposed to see" - that is labeled as being a Rogers "incident summary," recounting how one of the company's employees "received an email stating that he and his family were being watch (sic) and would be murdered if they did not send 70 Bitcoins to a specific Bitcoin address," which was tied to an "openmailbox.org" account. At current market rates, 70 bitcoins is equivalent to about $19,000 U.S. dollars.

The "incident summary" report adds: "The email was followed by a telephone call to his corporate CTN. The caller was very specific and seems to have a great deal of info on [employee name] and his family. It should be noted that this information would be available on the family Facebook page." It says that the employee filed a police report about the incident; reset his Facebook, LinkedIn and Google passwords; and that all of his devices were seized by IT staff, his LAN password reset, and the employee issued with "a loaner laptop with no [Active Directory] profile to him to avoid any possible infection in his profile."

But the leaked Rogers breach report - which the company has not authenticated - says that "a large number of [the employee's] corporate emails were forwarded to 2 suspicious looking email accounts on Feb 21st - [redacted by hackers] and [redacted by hackers] (146)."

The leaked information also appears to include details of employees - including landline and cellphone numbers - at the breached businesses, as well as call records. Rogers didn't respond to a request for comment about how it determined no information exposed qualified as "personal."

TeamHans Responds

TeamHans tells the privacy blogger known as Dissent - who operates DataBreaches.net - that it's composed of three hackers - including @MarxistAttorney and ffx0 - and that it socially engineered - tricked - a member of the Rogers IT support team into giving it the employee ID and security questions for a mid-level Rogers employee. The hackers then called back, pretended to be the mid-level employee, and claimed to have forgotten their Outlook password. They say they then answered two security questions correctly - relating to the employee's birthday and ZIP code - and obtained the new password, which they used on Feb. 20 to forward all of the employee's email to an account that they controlled. The hackers say they had access to the employee's account until March 1.

Reached via the email address associated with the TeamHans Twitter account page, a representative of the hackers confirmed to ISMG that they did demand 70 bitcoins from the employee in question, threatening to make the hack public and release the stolen data if payment was not made. "Yes he was a victim of a failed extortion attempt, although I would like to mention that the amount demanded was a very low amount in regards to the classification of the documentation which had been retrieved from their systems," the representative said.

But the group disputes ever threatening the employee or his family. "We would never do something as stupid as that nor would we threaten it. We are hackers, not murderers," TeamHans told Dissent.

Tea Hans suggested via Twitter on March 2 that it's in possession of more stolen data obtained via the same "low-level hack": "Did you guys like that? We got a lot more coming." Via email, however, the attackers were more circumspect. "[The] majority of the data can be found in the tarball that was released via our social medium but I'm not saying that's all of it (maybe we still have access to their systems today, who ... knows?)."

While the Rogers hack might sound like a revenge story, TeamHans says its members are neither Canadian, nor made up of Rogers subscribers. "I can confirm that none of the members of TH involved in this particular ship wreck is from CA," the group's representative says.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network