Singtel-owned IT service provider Dialog hit by Windows ransomware


Data breaches appear to be raining down on properties belonging to Singaporean multinational telecommunications conglomerate, Singtel, as the telecoms operator announced on Monday that there had been an intrusion into its Australia-based IT service provider, Dialog.

Security sources said iTWire that the attack on Dialog was carried out using Agenda ransomware which only works on Windows systems.

This is the second breach in recent days to affect Singtel properties. On September 22, Optus, Australia’s second-largest telecom operator, also owned by the Singaporean firm, announcement a massive breach that was originally expected to affect nearly 10 million customers.

Monday morning, data stolen from Singtel on January 20, during an attack via an Accellion file sharing system then at the end of its life, surfaced on a clear web forum.

Dialog’s customers in Australia include the NSW Electoral Commission, Department of Human Services, Queensland Health, Virgin Australia, NAB, Suncorp, Alfred Health, University of Tasmania and Rio Tinto. The company was acquired by Singtel in April for $325 million and employs more than a thousand IT professionals.

News of the Dialog breach surfaced in a story from the British Press Agency Reuters In Monday. iTWire had asked Dialog twice – once last week and again on Monday morning – about a possible breach, but received no response.

dialog canvas

The dark web announcement of Dialog’s breach.

Dialog has no media contact addresses on its site, only a sales email address and a web form to get in touch.

The group behind the attack announced it on the dark web on September 19.

Agenda is relatively new and was discovered by Japanese security company Trend Micro. In a blog post About the malware on August 25, researchers Mohamed Fahmy, Nathaniel Gregory Ragasa, Earle Maui Earnshaw, Bahaa Yamany, Jeffrey Francis Bonaobra, and Jay Yaneza wrote:

“Our investigation revealed that the new ransomware in question was targeting businesses in Asia and Africa. Based on dark web posts by a user named ‘Qilin’ (who appears to be connected to ransomware distributors) and by the Through ransom notes, the ransomware is called ‘Agenda’.

“Agenda can restart systems in Safe Mode, attempts to stop many server-specific processes and services, and has multiple execution modes. The ransomware samples we collected were customized for each victim, and they included unique corporate identifiers and disclosed account details.

“All samples collected were 64-bit Windows PE (Portable Executable) files written in Go, and they were intended for Windows systems.

“The group distributing the malware targeted health and education organizations in Indonesia, Saudi Arabia, South Africa and Thailand. Each ransomware sample was personalized for the intended victim.

“Our investigation showed that the samples contained leaked accounts, customer passwords and unique corporate identifiers used as encrypted file extensions.”

The Trend Micro team added, “We believe that Qilin (or the Agenda ransomware group) offers affiliates options to customize configurable binary payloads for each victim, including details such as company, RSA key, and processes and services to kill before data encryption. .

“Furthermore, the amount of the ransom demanded is different per company, ranging from US$50,000 (A$79,043) to US$800,000.”

dialog customers

Some Dialog customers. Screenshot of the Dialog website

In a statement sent by Dialog at 5 p.m. AEDT on Monday, the company said:

“Dialog Group (Dialog) today confirmed that the company experienced a cybersecurity incident in which an unauthorized third party may have accessed company data, potentially affecting fewer than 20 customers and 1,000 current Dialog employees. as well as former employees.

“Dialog has notified the relevant authorities and is supporting those who may be affected to protect against the risk of fraudulent activity.

“On Saturday September 10, 2022, Dialog detected unauthorized access to our servers, which were then shut down as a preventive measure. Within two working days, our servers were restored and fully operational.

“We have engaged a leading cybersecurity specialist to work with our IT team to undertake a thorough forensic investigation and ongoing monitoring of the Dark Web. Our ongoing investigations have shown no evidence of unauthorized downloading of data.

“On Friday, October 7, 2022, we learned that a very small sample of Dialog data, including some personal employee information, had been posted on the dark web.

“We are doing everything we can to deal with the situation and, as a precaution, we are actively engaging with potentially affected stakeholders to share information, support and advice.”


Comments are closed.