Singapore’s Singtel breached via 20-year-old file transfer system
Singapore’s largest telco, Singtel, has been the subject of a cyberattack earlier last week after hackers breached the company via its use of legacy third-party file-sharing system by Accellion that compromised user data.
The attack – which occurred on January 20 – was part of a wider global breach of File Transfer Appliance (FTA) file sharing-systems that had recently affected other organizations such as New Zealand’s central bank, the Australian Securities and Investments Commission and the Washington State Auditor’s Office in the U.S.
“Our priority is to work directly with customers and stakeholders whose information may have been compromised to keep them supported and help them manage any risks,” Singtel said in a statement.
While the telco noted that it is currently running an impact assessment on the extent of the compromised data, it declined to mention the details of the data compromised and how many customers were breached.
However, Singtel said it is contacting affected customers “at the earliest opportunity once we identify which files relevant to them were illegally accessed.”
It is worth mentioning that the breached third-party software Accellion FTA was used by the telco internally and external stakeholders and is currently over 20-years-old. This incident highlights the importance of adopting a modern, secure, and regularly updated file sharing platforms.
Initially, the first instance of a breach was reported by Accellion back on December 23, 2020, at which the company informed FTA users about a vulnerability within its system. In a statement by the company, it described its FTA product as a “20-year-old product near the end of its functionality,” and then announced that it suffered a “sophisticated cyberattack” which included exploiting a previously unknown vulnerability.
Singtel said it applied FTA patches from Accellion on December 24 and another one on the 27th. On January 23, Accellion said the December 27 patch was ineffective against a new vulnerability, and Singtel took the product offline.
Accellion put out another patch on January 30 but Singtel said it received an “anomaly alert” when applying it. The vendor said Singtel’s system could have been breached and the telco confirmed this occurred on January 20.
“Given the complexity of the investigations, it was only confirmed on Feb 9 that files were taken,” Singtel added.
The telco said the breach was an isolated incident involving the third-party system, and its core operations remained “unaffected and sound.” The telco has suspended use of FTA and is investigating with cybersecurity experts and the authorities, including the Cyber Security Agency of Singapore (CSA).
CSA’s expert team were quick to call on users of the FTA to disconnect from the service to perform checks over possible vulnerabilities, while advising users to check for updates, apply all necessary patches quickly, as well as keep an eye on their networks for suspicious activity.
To date, CSA has not received any breach reports from other Singapore organizations caused by the incident.
Singtel joins a number of other cyberattack victims that were hacked via Accellion, as it joins Australia-based medical research institute QIMR Berghofer, the Reserve Bank of New Zealand – Te Pūtea Matua, growing the vendor’s list of unhappy customers.
While the question begs itself as to why these companies are still using FTAs, Accellion told security news site BankInfoSecurity earlier that customers might be reluctant to switch because it meant moving data, which would entail changes to procedures and having to train workers on the new system.
The Singtel hacking was rather complex to trackback, so here’s a timeline of the events:
- December 23: Accellion first informs FTA users of a previously unknown vulnerability.
- December 24: Singtel installs patch from Accellion to plug the vulnerability.
- December 27: Singtel installs another available patch from Accellion.
- January 23: Accellion advisory cites a new vulnerability that the December 27 patch was not able to deal with. Singtel immediately takes the system offline.
- January 30: Singtel attempts to install a new patch to plug the new vulnerability but receives an anomaly alert. The system is kept offline, and investigations confirmed a January 20 breach.
- February 9: Singtel confirms file theft due to the breach.
- February 11: Singtel announces the FTA breach.