SCOPE OF THE HACK
STT GDC and GDS are among the largest data centre operators in Asia.
They rent space in their data centres to clients that install and manage their own IT equipment, typically to be closer to customers and business operations in Asia. GDS is among the top three colocation providers in China, the second-biggest market for the service in the world after the US, according to Synergy Research Group. Singapore ranks sixth.
Singapore Technologies Telemedia, the parent company of STT GDC, also holds a 40 per cent stake in GDS.
The information stolen from the firms could have allowed hackers to masquerade as authorised users on customer service websites, said Resecurity.
About 2,000 customers of STT GDC and GDS were affected, including some of the world’s biggest companies, according to Resecurity and Bloomberg.
The hackers had access to the login credentials for more than a year before posting it for sale on the dark web in January 2023, claiming they were overwhelmed by the volume of it, according to Resecurity and a screenshot of the posting reviewed by Bloomberg.
Resecurity said that it discovered the data caches in September 2021 and found evidence that the hackers were using it to access accounts of STT GDC and GDS customers as recently as January, when both data centre operators forced customer password resets.
STT GDC said that additional measures including two factor authentication, password resets and security hardening were taken as a precaution.
“If there was any unauthorised access to these other customer portals, such access is no longer possible,” said the firm.
“Our data centres and services remain fully operational and secure. The purported cyber security threats to our customer service portals have not affected the operation of our data centres in any way.
“In any event, our critical infrastructure and the associated monitoring systems are completely segregated from all of these customer service applications.”
Even without valid passwords, the data still allows hackers to craft targeted phishing emails against people with high-level access to their companies’ networks, according to Resecurity.
STT GDC said that it could not comment on its affected customers, due to existing confidentiality provisions.
“IMMEDIATE ACTION” TAKEN
STT GDC said that in September 2021, it was notified that “a purported list of user credentials for one of our IT systems” was circulated on the dark web.
“Immediate action” was taken, said the firm, including conducting internal investigations and commissioning external cybersecurity providers.
“No unauthorised access or data loss relating to that IT system was observed, and the application remains secure to this day,” said STT GDC, adding that the IT system in question was a third-party customer service ticketing tool hosted in the cloud, with no connection to its other corporate systems or any critical data centre infrastructure.
Such applications are used by customers to initiate service requests like booking a delivery or requesting a cross connect.
“By design, these customer service portals have no connection to our operational data centres, are not considered business critical, nor do they contain any personal data or information.”
AN “ISOLATED EVENT”: GDS
As a result from the hack, hackers also stole credentials for GDS’s network of more than 30,000 surveillance cameras, most of which relied on simple passwords such as “admin” or “admin12345”, said Bloomberg.
When asked about the claim that hackers were still accessing accounts in January using the stolen credentials, a GDS representative told Bloomberg: “Recently, we detected multiple new attacks from hackers using the old account access information. We have used various technical tools to block these attacks. So far, we haven’t found any new successful break-in from hackers which is due to our system vulnerability.”
“As we are aware, one single customer didn’t reset one of their account passwords to this application which belonged to an ex-employee of theirs. That is the reason why we recently forced a password reset for all the users. We believe this is an isolated event. It is not a result of hackers breaking through our security system,” said the GDS spokesperson.
After STT GDC and GDS’s enforced password resets for customers in January 2023, Resecurity found the hackers posting the databases for sale on a dark web forum, in English and Chinese.