This article was produced with support from the Capitol Forum.
Hackers have stolen data related to a specific part of telecommunications giant Verizon marketed to government agencies and first responders, and are advertising that data for sale on a Russian-language cybercrime forum, 404 Media has learned.
The breach does not appear to impact the main consumer Verizon network. The hackers broke into a third party provider and stole data on Verizon’s push-to-talk (PTT) systems, which are a separate product marketed towards public sector agencies, enterprises, and small businesses to communicate internally. The breach is not nearly as severe as some other recent hacks of AT&T or T-Mobile, but the news still presents a significant event for Verizon, due to the fact the hackers are not state-sponsored but instead come from a community of mostly young cybercriminals which continues to compromise massive American tech and telecommunications companies, highlighting lapse security practices by the telecoms.
“To be specific the data is from their PTT network which is used by corporations, government, first responders, and much more,” the person advertising the data, called cyberphantom, told 404 Media in an online chat. Cyberphantom said they were working with Waifu, who also uses the handle Judische, and who was responsible for some of the largest breaches in recent history, including AT&T and Ticketmaster.
Customers can use Verizon’s PTT services to talk to a single employee or groups of hundreds or thousands of people at once, according to Verizon’s website. Verizon describes the service as providing “secure mission critical communications.” Local and state governments have discussed using Verizon’s PTT system, including for Sheriff Deputies. Public federal procurement data also shows various government agencies, such as NASA and the Army, have paid for Verizon PTT tools, but those contracts are around ten years old.
The hacked Verizon data has some similarity to that stolen in the AT&T breach earlier this year, but to a smaller scale. In the case of AT&T, hackers made off with call and text metadata belonging to “nearly all” of the telecom’s customers, AT&T announced in July.
404 Media viewed a recent post written by Cyberphantom on the Russian-language cybercrime forum XSS. The forum can typically only be accessed by those who have received approval by the site’s administrators. That post said the author was “Selling American Telecom Access (100B+ Revenue).”
“Access includes several admin accounts with admin level rights, apis, several interconnected LAN servers (50+ critical infrastructure servers), and more. Data includes call logs, emails, phone numbers, addresses, names, and more. Current data amounts to over 900 GB. Revenue above 100b. Price: 200k USD minimum, negotiations are open, serious buyers only,” the post continued.
After hearing rumors of a Verizon breach over the past week, 404 Media asked Cyberphantom specifically if the data came from Verizon. Contacted over Telegram, Cyberphantom said Verizon was the victim telecom and added that the data came from the company’s PTT systems. Although Cyberphantom provided multiple samples of the data, they declined to share one that showed addresses and names, which were mentioned in the XSS forum post.
Judische, the hacker Cyberphantom says they worked with, corroborated a relationship between the two, and claimed they had hacked other companies with them too, such as critical infrastructure and telecoms.
Judische is part of the broad criminal phenomenon known as the Com, short for Community. In Com, thousands of young English-speaking people on Telegram and Discord carry out cryptocurrency fraud and scams on the lower-end, then on the higher-end hack massive multinational corporations. Members often first enter Com through communities on Minecraft or Roblox. These hackers sometimes turn to physical violence, including shootings, brickings, physical assaults, and kidnappings as a way to taunt, flex, or rob one another. Sometimes those threats extend to ordinary people working at companies who possess the necessary login credentials the hackers want.
Com sometimes overlaps with the cybercrime activity that security researchers call Scattered Spider, based on their distributed nature and increasing sophistication. Researchers have attributed the MGM Resorts hack in 2023 and other high profile breaches to Scattered Spider, and a senior FBI official recently said Scattered Spider is considered as a top three cybersecurity threat, along with China and Russia.
Previously Judische stole data by compromising accounts on Snowflake, a data warehousing tool that companies use to store massive amounts of data. Snowflake-associated victims include Ticketmaster, Lending Tree, and Neiman Marcus, and Judische may have hacked around 165 companies that used the platform, according to cybersecurity firm Mandiant. After many of those breaches, Judsiche then attempted to extort the victim company, promising to delete the data if they paid a ransom. If they didn’t, Judsiche sometimes published the data online, like in the case of Ticketmaster. WIRED previously reported that AT&T paid the hacker $370,000.
In this case with Verizon, Cyberphantom said the hackers have not tried to extort the telecom. Instead, they are attempting to sell the data “to whoever wants it.”
“Verizon became aware that a third party provider of push to talk services was compromised by a threat actor. After reviewing the incident, we discovered that a narrow set of data elements from a relatively small number of Verizon customers had been exposed,” Richard J Young, a spokesperson for Verizon, told 404 Media in a statement.
“There was no private or personal information released such as social security numbers, financial information, or names or addresses. We have since worked with the provider on enhancing security in the provider’s environment containing customer information,” he added.
Senator Ron Wyden told 404 Media in a statement that “Phone companies have proven they don’t care if their poor cybersecurity harms their customers or U.S. national security. They won’t start until the government actually holds phone companies—and their executives—responsible. Million dollar fines haven’t done anything to deter cybersecurity negligence by multibillion dollar companies.”
Earlier this month the Wall Street Journal reported that Chinese government hackers infiltrated Verizon and AT&T and may have gained access to information from the systems used to carry out court-approved wiretapping requests.
