Data centre hacks affect Apple, Microsoft and more

Threatens physical access to equipment

Data centre hacks affect Apple, Microsoft and more

Hackers have stolen login credentials at two major Asian datacentre firms, which some of the world's largest companies use to store their data.

According to cyber firm Resecurity - and first covered in Bloomberg - attackers breached customer support websites belonging to China's GDS Holdings and Singapore's ST Telemedia Global Data Centres (STT). They were able to uncover the emails and passwords belonging to about 2,000 customers, including Amazon, Apple, Microsoft, Walmart, Huawei, Alibaba, BMW and Goldman Sachs.

The hackers have, so far, only logged into five of the customer accounts, and none belonging to major Western firms (all said the issue would have a limited impact on their operations, or none at all). Instead they belong to China Foreign Exchange Trade System and four Indian firms: National Internet Exchange of India, MyLink Services, Skymax Broadband Services and Logix InfoSecurity.

An AWS spokesperson told Computing, "We can confirm that we have investigated and there is no impact to the security of our systems, services, or customers."

It isn't yet clear how the attackers managed to breach the support websites. GDS says one of its websites was breached in 2021, but STT could find no evidence of a breach at that time.

Both firms say customer information and IT systems are not at risk. However, Resecurity - and four affected US-based customers - said the stolen credentials represented an "unusual and serious" danger. That is because the support websites control who is physically allowed to access to IT equipment in GDS' and STT's datacentres.

Michael Henry, former CIO of US datacentre operator Digital Realty Trust, called that scenario "A nightmare waiting to happen... If they can achieve that, they can potentially disrupt communications and commerce on a massive scale."

The incident highlights the risk of relying on third parties to house local data, although that is not always avoidable - particularly in China, where regulations require foreign companies to work with domestic partners.

A long time coming

Resecurity says the hackers held on to the stolen login credentials for more than a year before posting them for sale on the dark web for $175,000. They were "overwhelmed" with the size of the data dump, however, and apparently made it all available for free this week after GDS and STT forced customer password resets in January.

However, even without being directly able to log in the stolen information could still be valuable - for example, to target phishing emails at people threat actors know have high-level access to company networks.

GDS says it fixed the vulnerability the hackers used in 2021:

"The application...is limited in scope and information to non-critical service functions, such as making ticketing requests, scheduling physical delivery of equipment and reviewing maintenance reports. Requests made through the application typically require offline follow up and confirmation. Given the basic nature of the application, the breach did not result in any threat to our customers' IT operations."

For its part, STT said the credentials Resecurity had seen were "a partial and outdated list of user credentials for our customer ticketing applications. Any such data is now invalid and does not pose a security risk going forward."

Resecurity has not attributed the attack to a particular hacking group yet, but has warned that it may not be down to profit-driven criminals at all, but a group hiding their identity.

"Such tactics are often used by nation-state actors to mask their activity, typically to blur the attack motive."