-
On a cybercrime forum, a threat actor has posted an advertisement selling full root-level access to the internal Linux servers of a currently undisclosed Indonesian telecommunications company.
-
The targeted mobile and internet provider operates a network of approximately 10,000 host machines and has an annual revenue of five to ten million dollars.
-
This severe administrative breach allows buyers to modify configurations and view files, putting millions of customers’ phone calls, texts, and private web traffic at risk.
An online criminal uploaded a forum marketplace post offering root-level keys to an Indonesian telecommunications business’s Linux infrastructure. The anonymous vendor asserts that these stolen login credentials hand buyers total administrative power over the firm’s internal systems.
While the listing hides the specific identity of the targeted broadband provider, it notes that the corporation brings in an annual income of five to ten million dollars. The threat actor explicitly states that they verified the compromised network entrance within the last two days.
Furthermore, the black-market posting claims that the target’s corporate framework holds around ten thousand individual host computers. Having root access gives an individual the highest possible authorization tier across a Linux environment.
An attacker holding these deep administrative privileges can freely plant tracking programs, rewrite basic system options, and read or download any hidden document. For an active telecom service vendor, a security failure like this easily exposes subscriber billing logs, voice call metadata, and central network configurations.
What the Seller is Offering
According to the seller’s listing, they are offering access into an organization’s network via the Secure Shell protocol (SSH) with full admin rights. SSH is a commonly used method to securely connect remotely to computers; therefore, the buyer will have access to the compromised system in a manner that will allow them to perform virtually any action possible on it.
Also, the listing indicates that the targeted company uses Symantec software as its antivirus solution. This shows that the seller has knowledge of the organization’s internal security and indicates that this organization has some level of security in place.
The claimed network size of ten thousand hosts is significant. This suggests a large organization with substantial infrastructure. The bigger the network, the more valuable the access becomes to potential buyers.
The seller does not name the company. This is common in such listings; threat actors often avoid naming victims to prevent the company from taking defensive action before the sale closes.
Who Might Buy this Access
Root access to a telecom network attracts a wide range of buyers. The Ransomware groups are among the most likely customers. They could use the access to deploy encryption across the network and demand payment for decryption keys.
State-sponsored actors might also show interest. Telecom networks carry sensitive communications that intelligence agencies want to monitor. Gaining persistent access to such a network could provide years of valuable intelligence.
Other cybercriminals might use the access for fraud. They could intercept SMS messages to bypass two-factor authentication. This would let them break into bank accounts and other protected services.
Beyond network access, cybercriminals are also directly targeting customer data; a recent dark web listing claimed the sale of 19 million Free.fr customer records, demonstrating the value of telecom subscriber information.
The sale of corporate access has become a thriving business on underground markets. Initial access brokers specialize in breaching networks and selling that access. Their customers then carry out the actual attacks.
The Growing Market for Corporate Access
The sale of corporate network access has become a booming business on underground forums. Cybercriminals have realized that stealing credentials and selling them is often easier than carrying out full attacks themselves. This has created a thriving ecosystem where different actors specialize in different parts of the attack chain.
In the current ecosystem, initial access brokers have become a sustainable way of accessing corporate networks. The primary method for gaining an entrance into these networks is through either phishing attacks, exploiting known vulnerabilities or buying stolen credentials from other criminals and then re-selling that access to ransomware and business groups (or affiliates), state-sponsored hackers, etc.
The prices for such access vary widely. A small company might sell for a few hundred dollars. A large enterprise with critical infrastructure can fetch thousands. Factors like revenue, industry, and the level of access all influence the final price.
These criminals hold a special interest in the telecom sector due to their usage of large amounts of sensitive customer information and being part of the critical infrastructure sector. The networks also appear as targets of high value for many threat actors. The demand for telecom access remains consistently high.
The Indonesian telecom listing is part of this larger trend. It shows how cybercriminals have professionalized their operations. They understand market demand and price their access accordingly.
The dark web claims remain unverified. The seller might be exaggerating their access to attract buyers. However, telecom companies should not ignore such warnings. Even unverified threats highlight the risks these organizations face.