Swiss software company that supplies mobile phone suppliers worldwide hacked – consequences unclear

Swiss software company Nexus Telecom is hit by a hacker attack. The ransomware gang 8Base is threatening to publish stolen data on its blackmail and leak site on the dark web.

The cybercriminals claim that “a large amount of confidential information” has fallen into their hands.

At Watson’s request, general manager Marco Rhyner confirmed on Wednesday that Nexus Telecom had been hit by a cyber attack. He cannot yet comment on the stolen data and the extent of the damage. Apparently the relevant clarifications are still ongoing.

The cybercriminals threaten that they will publish the stolen data within days.

What is special about the attacked company?

Nexus Telecom develops network monitoring software for the mobile industry. Customers include major providers in Europe, such as British Telecommunications (BT) and Deutsche Telekom, as well as providers abroad.

The company was founded in 1993 by an IT entrepreneur and national politician Ruedi Noser, who served on the National Council and the Council of States for the Zurich FDP. In 2013, his company made headlines for selling surveillance software to autocratic Saudi Arabia.

Noser emphasized to NZZ at the time that the monitoring software his company sold abroad could not decrypt the content and was therefore not subject to approval.

In 2016, Nexus Telecom was sold to a foreign company, fell into financial turmoil and had to file for bankruptcy. The company was eventually taken over by the Swiss Generis, based in Schaffhausen and also active in Beijing (China).

Together with the former core team of Nexus Telecom, the company’s assets were acquired, according to Generis’ website. 5G mobile communications and smart city applications are cited as key business areas focused on product development.

Who are the attackers?

8Base is a ransomware group that has been active since March 2022, but only hit the news in the summer of 2023, when its activities were only just behind the infamous Lockbit gang.

Like other well-known ransomware gangs, 8Base operates a darknet website that can only be accessed via Tor, a freely available global anonymity network. The site lists hundreds of hacked companies: all victims who refused to pay ransoms so their stolen data wouldn’t be made public.

What is striking about the victims: This does not include companies or organizations from the Russian Federation or from states of the former Soviet Union. This would be typical for a gang of Russian origin.

The cybercriminals are considered opportunistic when it comes to their choice of victims and their attack tools: late last year, IT security researchers discovered that the 8Base hacker attacks used a variant of the Phobos ransomware.

Phobos is available as Ransomware as a Service (Raas) for cybercriminals. Those responsible for 8Base are probably not experienced programmers. Either way, not only are they using third-party attack tools, they’ve also hacked the security of their own darknet site.

In September 2023, well-known IT security researcher and blogger Brian Krebs revealed that a 36-year-old programmer from the capital of Moldova likely wrote the code for the 8Base chat function, which is integrated into the darknet site and used by criminals. victims is used.

In 2023, a linguistic analysis of 8Base’s (written) communication style revealed a striking similarity to another operation called “RansomHouse”.

The American cybersecurity authority HC3 stated the following about 8Base last November:

Sources