 "The BSNL is a state-run telecommunication company in India. (Photo: Reuters)")
A US soldier arrested last month has been linked to a data breach at the state-run telecom company BSNL, according to a report.
Last month, US federal authorities arrested Cameron John Wagenius for alleged theft and sale of confidential telecommunication records. He used to conduct his alleged cybercriminal activities on darknet with the username ‘Kiberphant0m’.
Now, the Hindustan Times has reported that Wagenius is likely the same person behind the data breach at BSNL in May 2024.
Wagenius has claimed to have stolen sensitive customer call records, including those of outgoing US Vice President Kamala Harris and President-elect Donald Trump, by hacking into 15 telecommunication companies, according to cybersecurity news website KrebsOnSecurity.
What happened in BSNL data breach?
In May 2024, a threat actor known as ‘Kiberphant0m’ hacked into BSNL and stole a wide range of data, including critical information such as International Mobile Subscriber Identity (IMSI) numbers, SIM card details, pin codes, and authentication keys, according to CNN-News 18.
The report from June 2024 said that the breach also involved theft of data from DP Cards, DP Security Key, and snapshots of BSNL’s SOLARIS servers.
The user ‘Kiberphant0m’ was selling the data on dark net was around $5,000 at the time.
Cybersecurity firm Athenian Tech said in a report at the time: “The threat actor priced the compromised data at $5,000, offered as a special deal valid from 5/30/2024 to 5/31/2024. This pricing highlights the high value of the data due to its sensitivity and extensive scope. During conversations on a dark web platform, the threat actor discussed the potential misuse of this data for activities such as SIM cloning and extortion, illustrating the serious risks associated with its criminal exploitation.”
While the breach happened in May 2024 and was reported soon after in the media, the Union government acknowledged it in July 2024 in the parliament. In response to a parliamentary question, Minister of State (MoS) for Communication and Rural Development PC Sekhar said the Indian Computer Emergency Response Team (CERT-In) reported possible intrusion and data breach at BSNL on May 20, 2024.
Impact Shorts
More ShortsIn the brief statement that avoided the specifics reported in the media or in the Athenian Tech report, Sekhar said that it was found that one file transfer protocol (FTP) server was having the data similar to the sample data shared by CERT-In.
“No breach into Home Location Register (HLR) of Telecom Network has been reported by Equipment Manufacturer, hence no service outage in BSNL’s network. However, as a remedial measure to prevent such probable breach, BSNL has taken steps i.e. access passwords to all similar FTP servers have been changed and instructions to maintain air-gap for End Points have been issued,” said Sekhar in the statement.
What we know of US soldier’s link to BSNL breach?
Wagenius, who is understood to be the cybercriminal ‘kiberphant0m’ on darknet stole around 278 GB of data in the BSNL breach, according to Hindustan Times.
Wagenius posted the information of the breach on darknet and directed visitors to a Telegram account for discussions about the sale. The HT reported that the Telegram account was ‘cyb3rph4nt0m’ which was last active on December 7.
The newspaper reported that while Indian users were aware of ‘kiberphant0m’, they were not aware of his arrest in the United States.
A senior Indian official told the newspaper on the condition of anonymity: “We knew about the kiberphant0m account and have been working on it. We didn’t know who was responsible for the account. Attribution is very difficult in cyber domain.”
Allison Nixon, the Chief Research Officer of Unit 221B, a US cybersecurity firm that helped catch kiberphant0m, confirmed to the newspaper that the soldier arrested in the United States was the same as the cybercriminal who attacked BSNL.
Nixon, however, clarified that the attack on BSNL does not appear to be a state-sponsored attack.
Nixon said, “These large telcos are big targets and many different actors seek to target them with fraud or hacking. He is just part of a different group, and what they chose to do with the data is totally different from what the Salt Typhoon people chose to do.”
As for the course of action by Indian authorities, the newspaper reported that it does not appear that the BSNL filed an FIR in the matter.
As sources indicated to the newspaper that neither BSNL nor Department of Telecommunications filed an FIR in the matter, options for seeking international cooperation are limited. These options open once an FIR has been filed, said Aaron Kamath, the head of technology practice at Nishith Desai Associates.
Kamath told the newspaper, “Where the bad actor is beyond Indian shores, Indian law enforcement authorities, upon filing of an FIR, can initiate investigation, seek information and pursue action through international treaties, coordination with international agencies, or in cooperation with the foreign country’s law enforcement.”
US soldier linked to broader cybercriminal network
Wagenius is an associate of Connor Riley Moucka, a prolific cybercriminal from Canada who was arrested in October 2024, according to KrebsOnSecurity.
The outlet reported that Moucka stole data from dozens of companies that stored data at the cloud service Snowflake and extorting money from them.
Moucka told the outlet that he only stole the data and outsourced selling it to Wagenius and other cybercriminals.
Following Moucka’s arrest, Wagenius claimed in a hackers’ forum on darknet that he had data from 15 telecom companies, including call logs for outgoing VP Harris and incoming President Trump.
Wagenius further said that he also had stolen content from the US National Security Agency (NSA).