RansomHub Ransomware Attack on Timor Telecom

Timor Telecom, the primary telecommunications provider in Timor-Leste, has recently fallen victim to a ransomware attack orchestrated by the RansomHub group. The cybercriminals claim to have exfiltrated 18 GB of sensitive data, marking a significant breach in the company's cybersecurity defenses.

About Timor Telecom

Established in 2002, Timor Telecom, S.A. (TT) is headquartered in Dili and serves as the main telecommunications operator in Timor-Leste. The company offers a range of fixed and mobile services, covering approximately 92% of the population with GSM mobile services. Despite its extensive reach, the company has faced challenges, particularly in providing affordable and reliable internet services, which are primarily delivered through mobile data due to the high costs of fixed-line broadband.

Company Size and Market Position

Timor Telecom employs between 201 and 500 people and has a customer base exceeding 600,000 subscribers. The company was initially formed as part of a consortium led by Portugal Telecom and has played a crucial role in rebuilding the telecommunications infrastructure in Timor-Leste following the 1999 independence crisis. Timor Telecom's significant market presence and its role in the nation's connectivity make it a standout player in the telecommunications sector.

Vulnerabilities and Attack Overview

The attack on Timor Telecom underscores the vulnerabilities inherent in critical infrastructure sectors. The company's reliance on satellite communications for internet services, coupled with the high costs and slow response times, may have contributed to its susceptibility to cyber threats. The RansomHub group, known for its aggressive and adaptable ransomware-as-a-service (RaaS) model, exploited these vulnerabilities to infiltrate Timor Telecom's systems.

About RansomHub

RansomHub emerged as a prominent RaaS group in early 2024, quickly establishing itself through a combination of double extortion tactics and a highly efficient affiliate model. The group targets high-value sectors, including healthcare, financial services, and government, leveraging advanced data exfiltration techniques and fast encryption processes. RansomHub affiliates typically use phishing campaigns, vulnerability exploitation, and password spraying to gain initial access to their targets.

Penetration Methods

RansomHub's penetration into Timor Telecom's systems likely involved exploiting unpatched vulnerabilities and employing phishing tactics. The group's ransomware is optimized for cross-platform systems, including Windows, Linux, and ESXi, and uses Curve 25519 elliptic curve encryption to secure unique keys per victim. This sophisticated approach allows RansomHub to execute multi-phase attacks, including network reconnaissance, privilege escalation, and data exfiltration, before encrypting files.

• Timor Telecom LinkedIn
• Timor Telecom Wikipedia
• Timor Telecom Official Website
• DNB Business Directory
• Contact Center World