Two Asia-based data centers used by major global corporations were targeted in a series of cyberattack first identified in 2021 and as recently as January 2023. Data exfiltrated over the past three years included the credentials of those managing the data centers and login information used by customers to access cloud services hosted with the two data-center operators.
Shanghai-based GDS Holdings and Singapore-based ST Telemedia Global Data Centres were the targets of the attack, according to a recent report by Resecurity. In a Feb. 20 report published by Bloomberg, Resecurity researchers identified some of the data center customers impacted as Alibaba Group Holding, Amazon, Goldman Sachs Group and Walmart.
Exfiltrated from the data centers was data tied to corporate helpdesk systems (customer service, ticket management and support portals), remote management services and datacenter employee and customer email account credentials. Researchers said adversaries used the data to dig deeper into systems and attempted to gain access to embedded server management services (Remote Hands Services) such as OpenBMC, FreeIPMI and iDRAC.
It’s unclear to what extent nearly a dozen of the Fortune 100 companies cited by Resecurity were impacted. The Bloomberg report indicated that most of the identified firms either said no damage was caused to customers, declined to comment or said additional safeguards were put in place after being made aware of the incidents.
Researchers compared the attacks to SolarWinds and Kaseya. “Threat actors continue to upgrade their tradecraft and tactics to a new sophisticated level — where data center organizations are becoming one of their major targets,” they wrote.
Data center customer records sold in hacker forums
Resecurity first notified data center operators in September 2021 when it discovered 2,000 data center customer records for sale on underground hacker forums. In one cited instance, threat actors were selling a “compromised Office 365 account related to the Institute of Nuclear Energy Research based in Taiwan.”
In 2022, researchers found evidence that showed threat actors were able exfiltrate 1,210 additional records, acquiring them via illicit access to customer service portals, helpdesk and ticket management systems. Last month, an additional 10 organizations continued to be targeted, researchers said.
“It is not clear if such access [tied to the 2023 incident] was possible simply because multiple customers didn't change their passwords after the incident in 2021, lack of awareness or response, or the episode may have been interpreted as ‘new’,” wrote researchers.
Who the attackers are is also unclear, with researchers stating that based on internet postings on underground crime forums that the adversaries are potentially located somewhere in Asia.
“The majority of forum sections have Chinese translation, and it is there where we could identify multiple actors originating from China and countries based in South-East Asia,” researchers wrote.
Data culled from victims ended up on a variety of underground marketplaces that catered to ransomware cybercriminals.
“Malicious cyber activity targeting data center organizations creates a significant precedent in the context of supply chain cybersecurity,” Resecurity wrote. They urged security professionals to step up evaluation and speed mitigation efforts tied to both OT and IT supply chains.
“It’s also crucial to have a transparent communication with suppliers regarding possible cybersecurity incidents which may involve client accounts and related data,” they wrote.