Full Report
Cellcom CEO Brighid Riordan said the company has been dealing with a “cyber incident” but they “simply don’t have a lot of facts.”
Analysis Summary
# Incident Report: Telecommunications Service Disruption via Cyberattack
## Executive Summary
A major cyber incident targeted a large telecommunications firm operating in Michigan and Wisconsin, leading to service outages affecting voice and SMS texting for approximately one week. The company confirmed the incident, involved law enforcement (FBI), and stated that recovery protocols were underway, though specific details about the attack vector or scope remain limited.
## Incident Details
- Discovery Date: Tuesday (when publicly acknowledged)
- Incident Date: Began approximately one week prior to Tuesday's public disclosure.
- Affected Organization: Cellcom (a subsidiary of Nsight)
- Sector: Telecommunications
- Geography: Wisconsin and Upper Michigan
## Timeline of Events
### Initial Access
- Date/Time: Unknown, preceded the service outages.
- Vector: Undisclosed cyberattack.
- Details: Attack led to segmented service outages impacting voice and texting functions.
### Lateral Movement
- Details: No specific details provided regarding internal movement, though the scope was initially described as "segmented."
### Data Exfiltration/Impact
- Impact: Service outages for thousands of customers affecting voice and SMS texting services for about a week. Customers missed job interviews and important calls. The company stated the affected network segment was separate from where customer data is held, though no data breach confirmation was provided. Customers were unable to port numbers.
### Detection & Response
- Detection: The company acknowledged the "cyber incident" publicly via a video message on Tuesday evening.
- Response Actions: Rolling out pre-established incident protocols, engaging cybersecurity experts, and involving the FBI and Wisconsin officials. Experts were flown in to assist recovery.
## Attack Methodology
- Initial Access: Unknown (Implied external exploiting a vulnerability or unauthorized entry).
- Persistence: Unknown.
- Privilege Escalation: Unknown.
- Defense Evasion: Unknown.
- Credential Access: Unknown.
- Discovery: Unknown.
- Lateral Movement: Unknown.
- Collection: Unknown.
- Exfiltration: Unknown (No confirmed data exfiltration).
- Impact: Denial of Service/Disruption to core network services (Voice/SMS).
## Impact Assessment
- Financial: Unknown (Costs related to professional remediation and prolonged outage impact are implied).
- Data Breach: Company stated the incident was concentrated on a part of the network separate from where customer data is held; no confirmation of a data breach.
- Operational: Significant operational impact causing widespread voice and SMS service outages lasting approximately a week. Hindered customer service, specifically the inability for customers to port numbers.
- Reputational: Negative, evidenced by numerous angry customer messages online.
## Indicators of Compromise
- Network indicators: (None explicitly provided/defanged)
- File indicators: (None explicitly provided)
- Behavioral indicators: Service outage across voice and SMS functionality.
## Response Actions
- Containment measures: Incident protocols were initiated; the segment causing the outage was isolated, allowing some services (voice/SMS portions) to be restored on Monday.
- Eradication steps: Unknown, but involved external cybersecurity experts.
- Recovery actions: Experts were flown in to assist in restoring full service functionality; timeline for full restoration remained open as of Wednesday.
## Lessons Learned
- The organization had pre-existing incident response protocols prepared for such events.
- Significant operational impact occurred despite preparation, highlighting the dependency on telecommunication services.
- The lack of immediate, transparent facts in the initial stages aggravated customer response.
## Recommendations
- Conduct a thorough root cause analysis to identify the exact vulnerability exploited to gain access.
- Review and segment critical voice/SMS infrastructure from non-essential services to minimize outage blast radius if a similar incident occurs.
- Establish clear, proactive communication strategies for service disruptions, even when full facts are not immediately available, to manage customer expectations.