Hackers calling themselves TeamHans have hacked the giant Canadian communications and media firm, Rogers, and dumped a lot of corporate proprietary data to prove it.
According to the hackers, who announced the hack on Twitter where they tweet as @TeamHans_, the dump includes:
- Contracts with corporate customers
- Sensitive corporate e-mails
- Sensitive documents regarding Rogers (corporate employee IDs, documents, etc.)
- The Rogers VPN, including an employee profile for it, which would provide access to their intranet
In an interview with DataBreaches.net, TeamHans members stated that they gained access on February 20 and continued to have access until today. They also described how they socially engineered a Rogers employee:
We went searching for a medium- level Rogers employee, and we ended up with Antonio Marino. We called Rogers IT Support desk and convinced the IT Specialist that we were employees at the company and we needed some assistance regarding another employee. She was more than happy to assist us, and asked us what we needed. We asked for an employee ID and his answers for his security questions. She gave them, we thanked her, and called back as Antonio Marino.
They asked what we needed, I said I forgot the password to my corporate Outlook account, he asked us two security questions (birthday and zipcode), which we answered correctly, and he then changed the password for us.
Upon signing into Marino’s Outlook, we forwarded all the emails to an email address, and we proceeded to download all the emails and include that with the release.
In poring through Marino’s e-mails, the hackers noticed something strange regarding a tool, they said:
So we did some digging and found out the tool was used for contracts (creating and viewing), so we went on the site http://rogerscontracttool.ca/ and signed in with the details our lovely friend at IT gave us. We then proceeded to download all of the contracts (which we also included in the dump). After that, we did some more skimming and realized something known as “IT Portal” from his emails. We went to that site, same details, and signed in. In there we managed to find the Rogers VPN with an employee profile, an employee copy of McAffe, and some other tools within it. So voila, we now have all of the contracts, all of the Rogers employee tools, as well as sensitive emails regarding the company.
TeamHans, which reportedly consists of three hackers, including @MarxistAttorney and ffx0, informed DataBreaches.net that their motivation was to get 70 bitcoins from Rogers in exchange for not revealing the hack or dumping the corporate information. When Rogers wouldn’t pay, they dumped the data. In response to a question from DataBreaches.net, they say that they have no fear of being arrested or charged. None of the members of the team are reportedly from Canada.
As of February 25, Rogers seemed to be aware that Marino’s e-mail had been hacked, as evidenced by this internal e-mail:
From: Iftequar Syed
Sent: Wednesday, February 25, 2015 9:42 AM
To: Marcus Elson
Cc: Michael Gibson
Subject: IN1076520 – Email has been hacked
Have this user at the IT Staging Window and apparently his email has been hacked and have received threatening emails concerning him and his family and he got a call to check his email.
Additionally when he called IT Support to open a ticket they created an IN107652 was opened and when IT Support’s email came to his mailbox he got another call from the hacker about this.
The ticket was assigned to the wrong queue assigned it currently to RCI-ISCF.
Needs immediate and Urgent attention, please contact the user Antonio Marino @ [Redacted by DataBreaches.net].
Thanks & Best Regards
In investigating the concerns about Marino, Rogers discovered the exfiltration of data, as a February 26th e-mail from Pavel Orlov, Incident Manager at Rogers, makes clear:
– There was nothing found going out to, or coming in from, the specified “ffx0” email address but there was other activity found when traces were run again *@openmailbox.org.
– A large number of Antonio’s corporate emails were forwarded to 2 suspicious looking email accounts on Feb 21st – [redacted by hackers] and [redacted by hackers] (146)
According to Orlov’s e-mail, in addition to Rogers’ investigation, the Halton Regional Police are investigating Marino’s reports of being hacked and threatened.
Asked if there was anything that they’d like to see included in this report, TeamHans replied, “Yes, Rogers need to fix their security and give their employees some form of training.”If what they described is accurate, I think we can all agree that the employees may need training or a refresher course on social engineering.
DataBreaches.net has e-mailed Rogers to request a response to the breach and will post an update if a response is received.
Update: see statement from Rogers here.