Full Report
U.S. telecommunications giant Charter Communications has confirmed it suffered a data breach after the ShinyHunters extortion group threatened to leak stolen data unless a ransom is paid. [...]
Analysis Summary
# Incident Report: Charter Communications Data Breach (ShinyHunters)
## Executive Summary
U.S. telecommunications giant Charter Communications (Spectrum) confirmed a data breach following an extortion threat by the "ShinyHunters" group. The attackers leveraged a social engineering attack to gain access to a corporate SSO account, subsequently exfiltrating millions of customer records from a Salesforce instance. While the threat actors claim to have stolen 40 million records, Charter maintains that no sensitive personal information (PII) or customer proprietary network information (CPNI) was compromised.
## Incident Details
- **Discovery Date:** Late May 2024 (Public confirmation May 26, 2024)
- **Incident Date:** April 1, 2024
- **Affected Organization:** Charter Communications (Spectrum)
- **Sector:** Telecommunications / ISP
- **Geography:** United States
## Timeline of Events
### Initial Access
- **Date/Time:** April 1, 2024
- **Vector:** Voice Phishing (Vishing)
- **Details:** Threat actors used social engineering to target an employee, successfully compromising their Microsoft Entra (formerly Azure AD) credentials.
### Lateral Movement
- **Details:** Using the compromised SSO credentials, the attackers moved from the identity provider environment to integrated third-party SaaS applications.
### Data Exfiltration/Impact
- **Details:** Attackers accessed the company's Salesforce instance. They claim to have exported 40 million records, including customer names, email addresses, physical addresses, phone numbers, and support ticket data.
### Detection & Response
- **Discovery:** Likely discovered via the threat actor’s public listing of Charter on their data leak site or through internal security protocols monitoring abnormal SaaS exports.
- **Response Actions:** Charter initiated security protocols, engaged law enforcement, and issued a public statement clarifying the categories of data compromised.
## Attack Methodology
- **Initial Access:** Vishing (Social Engineering).
- **Persistence:** Possession of valid Microsoft Entra SSO session/credentials.
- **Privilege Escalation:** Not explicitly stated, though SSO access provided immediate access to high-value SaaS data.
- **Defense Evasion:** Use of legitimate credentials to bypass traditional perimeter security.
- **Credential Access:** Credential harvesting via vishing.
- **Discovery:** Enumeration of connected SaaS applications (Salesforce).
- **Lateral Movement:** Pivot from Entra ID to Salesforce via SSO integration.
- **Collection:** Bulk export of customer records from Salesforce.
- **Exfiltration:** Standard cloud-to-cloud or cloud-to-local export.
- **Impact:** Extortion/Ransom demand through public data leak site listing.
## Impact Assessment
- **Financial:** Possible ransom demand; costs associated with investigation and regulatory notification.
- **Data Breach:** Claim of 40 million records. Disputed by Charter regarding "sensitivity," but confirmed to include contact information.
- **Operational:** Minimal disruption to primary telecommunications services; significant impact on security and compliance operations.
- **Reputational:** High; involvement of a high-profile extortion group targeting one of the largest US broadband providers.
## Indicators of Compromise
- **Behavioral Indicators:** Unusual login locations for Microsoft Entra accounts; bulk data export triggers from Salesforce; unexpected SSO integrations or OAuth token generation.
## Response Actions
- **Containment:** Secured the compromised Microsoft Entra account.
- **Eradication:** Investigation into OAuth tokens and secondary access points within SaaS integrations.
- **Recovery:** Reviewing and auditing access logs; alerting appropriate legal and regulatory authorities.
## Lessons Learned
- **SSO as a Single Point of Failure:** While SSO improves UX, a single compromised identity can grant access to numerous critical platforms (Salesforce, Slack, etc.).
- **Vishing Efficacy:** Sophisticated social engineering remains a highly successful bypass for technical controls.
- **SaaS Governance:** Organizations often lack granular visibility into what data is being exported from third-party SaaS tools compared to internal file servers.
## Recommendations
- **Identity Security:** Implement phishing-resistant MFA (such as FIDO2/WebAuthn) to mitigate vishing and credential harvesting.
- **Security Awareness:** Conduct specific training for employees regarding vishing and "IT Help Desk" impersonation tactics.
- **SaaS Monitoring:** Deploy Cloud Access Security Brokers (CASB) or SaaS Security Posture Management (SSPM) tools to alert on bulk data downloads or unusual API calls in Salesforce.
- **Principle of Least Privilege:** Strictly limit which users have the permission to perform bulk exports from CRM and customer databases.