Two Asia-based data centers used by some major global businesses were targeted in a series of cyberattacks that took place over the past three years, with threat actors stealing credentials of data center operators and login information used by their customers to access cloud services.
According to a report from cybersecurity company Resecurity, the attacks targeted Shanghai-based GDS Holdings and Singapore-based ST Telemedia Global Data Centres.
While GDS has confirmed that a customer support website was breached in 2021, it’s not clear how the hackers obtained the STT GDC data. The latter said it found no evidence that its customer service portal was compromised in 2021. Both companies said the stolen information posed no risk to customers’ IT systems or data.
Threat actors stole information from the data centers related to corporate helpdesk systems (customer service, ticket management and support portals), remote management services and datacenter employee and customer email account credentials. Resecurity said hackers used the data to dig deeper into systems and attempted to gain access to embedded server management services (Remote Hands Services) such as OpenBMC, FreeIPMI and iDRAC.
As reported by Bloomberg, nearly 2,000 customers of STT GDC and GDS were affected, including some of the world’s biggest companies like Alibaba, Amazon, Huawei, Baidu, Apple, Goldman Sachs, BMW, Bank of America, Bank of China, Bharti Airtel, ByteDance, Ford, Globe Telecom, Mastercard, Morgan Stanley, Paypal, Porsche, SoftBank, Telstra, Tencent, Verizon, Wells Fargo, and Walmart.
Threat actors have logged into the accounts of at least five of the targeted companies, including China’s main foreign exchange and debt trading platform and four others from India.
The hackers also stole credentials for GDS's network of more than 30,000 surveillance cameras, most of which relied on simple passwords such as “admin” or “admin12345,” as per Bloomberg.
Resecurity said that it discovered the data caches in September 2021 and found evidence that the hackers were using it to access accounts of STT GDC and GDS customers as recently as January 2023, when both data center operators forced customer password resets.
“It is not clear how many independent actors were able to download the leaked data during this timeframe. Some fragments of this data have been also found in Telegram IM shared by various actors,” the researchers noted.
At this point, it’s not clear who was behind this campaign, but Resecurity said it hasn't identified any notable hits with known nation state hacker groups.