Inside the Platform Networks hacking attack

By Andrew Collins
Monday, 01 August, 2011


Telecommunications wholesaler Platform Networks last week revealed that it had been on the receiving end of a six-month-long hacking attack. In a business climate where businesses are regularly hacked and hide the details for as long as possible, Platform took the rare step of coming forward with the information that they’d been hacked, and involving the Australian Federal Police (AFP).

Investigations by the company and by the AFP culminated in last week’s arrest of David Cecil, an unemployed truck driver from Cowra, who police allege is responsible for the attacks on Platform Networks, and other targets.

The news created a stir in the Australian telecoms and mainstream media, thanks to Platform’s affiliation with the National Broadband Network (NBN); as a telco wholesaler, Platform plans to offer NBN access to small to medium ISPs and telcos.

But while some reported that the attack was actually an assault on the NBN itself, NBN Co took great pains to point out that Platform had not even connected services to the NBN when it was attacked.

 
David Hooton, Managing Director, Platform Networks.

David Hooton, Platform Networks’ Managing Director, said in a letter to Platform customers last week that the attack “was not focused on either Platform Networks or any of its customers specifically”.

But if Platform wasn’t the focus of the attack, who or what was? We spoke to Hooton in order to shed a little light on the hacker’s intended target, and other matters relating to the attack.

According to Hooton, there was no specific target. Like a gunman firing into a crowd, the attacker took aim at the entire internet, and Platform Networks was the unfortunate recipient of the bullet.

“This kind of stuff is normally started by someone running port scans and vulnerability scans across the entire internet. They find a web script or something or other […] which they can actually compromise or use to do whatever they want to do,” Hooton says.

“In this instance, the reason that we’ve been involved has been not because this person has seen us as being a soft target, and bombarded us specifically. It would be because in this event, we were part of a greater scanning of what could only really be described as pretty much the entire internet,” he says.

Hooton says that Platform was merely a “bystander” who happened to get wind of some form of malicious activity and who then took the opportunity to observe an unsuspecting hacker at work.

Keeping a close eye

The story starts in December 2010, when Platform noticed an anomalous pattern of traffic on its servers.

In a high-volume hosting environment, such patterns of network traffic are not uncommon, Hooton says. At times, these fluctuations are merely the work of a buggy script on a web server or a virus. But sometimes, they are ripples left in the wake of a malicious interloper.

“From our perspective, it took quite a long time to establish whether that was or wasn’t that kind of traffic we were seeing,” Hooton says.

And as soon as equipment became compromised, Platform was “immediately” aware, he says.

According to Hooton, the company took the machines that were affected by that traffic and “sandboxed them off into a secure area on the network, so that we could monitor them very closely and collect evidence”.

And it seems no customer data was affected.

“The AFP themselves have made a statement specifically stating that there has been no corporate, confidential or customer information that has been in any way compromised,” Hooton says.

As far as specifics go, Platform can’t divulge too many details, due to the ongoing nature of the AFP case against the alleged hacker. But, Hooton does explain what the company normally does in a case such as this.

“We’ll go in and investigate, work out why we’re seeing that traffic. If anything actually happens to the server, we’ve got disaster recovery systems, and also internal security audits which we perform on a very regular basis, that actually flag that for us,” he says.

A matter of disclosure

This story is striking for a number of reasons, but principally for the fact that Platform engaged with the authorities once it realised one of its systems had been compromised, rather than hide that information away from the eyes of the public.

“We take a fairly passive approach to this kind of thing, first and foremost to make sure that we can work out specifically what the [activity] is, what impact it has to us and to others. And then we basically create a case internally - we sit and monitor and watch and gather information that allows us to act appropriately,” Hooton says.

In some cases, the result of this monitoring is just a call to a customer to inform them they have a rogue web script on a web server or some equipment that needs some attention.

But in this instance, Hooton says, “Our investigations led us to believe that the number of people being affected by this particular incident, and the severity of the effect that it has been had on the other people, were large enough for us to work with law enforcement. The appropriate action was for us to work with the AFP.”

As to any suggestion that the hacker behind the Platform attack is the same person who perpetrated the attack that brought Distribute.IT to its knees, Hooton says he can’t comment.

More details to come

Platform has promised a detailed report - a “case study” - on the attempted hack and the company’s subsequent defence.

“We’re looking at it as a ‘best practices discussion document’, more than anything,” Hooton says.

And while the company doesn’t intend it to be the definitive document on securing your network - “nobody really truly is a security expert,” Hooton notes - Platform hopes that the report may help other businesses defend themselves from a similar attack.

“[We’re] providing some very basic simple things that we believe, if other businesses were able to do, would assist them in being able to see similar results to what we’ve had,” Hooton says.

Hooton is unable to give a timeline on the release of the document, due to “external factors” - presumably the AFP’s ongoing investigation into the incident, which may result in more charges being laid, on top of the 49 already brought against the alleged hacker.

Related Articles

Nation-state actors have their sights on the cloud

Prioritising the protection of credentials and adopting robust security measures can better...

Combating financial crime with AI

Rapid digital transformation across Australia and New Zealand has provided cybercriminals with...

Learning from the LockBit takedown

An international taskforce has seized the darknet sites run by LockBit, but relying on law...


  • All content Copyright © 2024 Westwick-Farrow Pty Ltd