Regional telecommunications provider Cellcom has almost fully restored calling and text-messaging services for some customers in Wisconsin and Michigan after a cyberattack forced the company to take its network offline, leaving people with devices in SOS mode for several days.
Cellcom, a regional wireless service company with roots going back to the early 20th century, had to take down its network after detecting “unusual activity” on May 14. This resulted in its customers throughout northeastern Wisconsin and parts of Michigan, including in the Green Bay area, losing both calling and text-messaging capabilities on their devices for nearly a week before some services were restored on May 19.
On Tuesday, Cellcom, which is owned by Nsight, confirmed that both inbound and outbound calling and text messaging were back to “performing well for most customers following recent restoration efforts,” according to a statement on its website. However, the company acknowledged that “some intermittent issues may still occur as systems continue to stabilize,” according to the statement.
Unspecified Cyberattack Cripples Network
Cellcom CEO Brighid Riordan addressed customers directly in a video posted on YouTube a week ago to explain the situation to customers once the company began to restore services. Once officials became aware of the cyberattack, they informed authorities, including the FBI, and began an investigation that includes security experts and other partners, she said.
However, at that point, Riordan acknowledged that the company still didn’t “have a lot of facts” about what caused the incident, though so far there was no evidence that customers’ personal information was affected. That’s because the attack was concentrated on an area of Cellcom’s network separate from where it stores sensitive customer information, giving it “a high degree of confidence” that it was a service issue and not a data leak, according to a statement on the company’s website.
Riordan acknowledged customers’ frustration over the loss of their services and said that she also was “angry” about the attack, adding that the company is “doing everything we can” with experts and other partners to mitigate the affect on customers. Riordan also thanked them for their patience while the company works to resolve the situation and full restore services.
Evidence Points to Potential DDoS Attack
Global telecommunications providers, including heavy-hitting US networks AT&T, T-Mobile, and Verizon, were the target of an attack spree by Chinese nation-state threat actor Salt Typhoon last fall as part of a wave of intrusions against telecom infrastructure on six continents in a two-month period. Indeed, telecommunications providers are often in the crosshairs of threat actors as part of consistent efforts to disrupt critical services and perform cyber espionage via their networks.
Though regional networks may not be on the list of those a state-sponsored threat actor might target, a remote OT/IoT device such as a compromised router could trigger a DDoS incident at any telecommunications provider whose network is connected to the device, observes Lawrence Pingree, vice president of network security platform provider Dispersive.
“These devices can join and participate in distributed broadband-based attacks that use tools like Slowloris, DDoS Ripper, CC-Attack, and other types of DDoS attack tools,” he says. “These tools don’t necessarily need to send a lot of traffic on a single-host basis. For example, if residential proxies are used, a simple query to their text/voice API could disrupt when duplicated across 20,000 breached residential proxies.”
This is one potential explanation for the Cellcom attack, and it would be challenging for any regional telecom provider to respond to because it requires “specialized services that monitor broad-based connectivity, rerouting of traffic, elimination of the load, etc.,” Pingree says.
In a DDoS attack, “attackers use every possible method to disrupt, and so even if one method is resolved, another could be used,” he observes. For this reason, organizations that can potentially be targeted by this type of attack should focus on preemptive cyber-defensive controls rather than merely detection and response strategies, Pingree says. This is especially critical in scenarios where service disruptions can create a loss of customer confidence and reputational damage.
Don’t miss the latest Dark Reading Confidential podcast, The Day I Found an APT Group in the Most Unlikely Place, where threat hunters Ismael Valenzuela and Vitor Ventura share stories about the tricks they used to track down advanced persistent threats and the surprises they discovered along the way. Listen now!
