Breaches of major U.S. telecom networks by the China-linked Salt Typhoon group have received widespread media attention, but a second threat actor has also been targeting telecom service providers in recent months, and claims to possess the call logs of President-elect Donald Trump and Vice President Kamala Harris.
Cyble dark web researchers have been tracking the activities of a threat actor (TA) known as “kiberphant0m” since they emerged on English- and Russian-speaking cybercrime forums earlier this year.
Since late August, kiberphant0m has been selling data and access allegedly obtained from Verizon and AT&T – in addition to “spy schema” allegedly belonging to the U.S. National Security Agency (NSA) that the TA claims came from the massive Snowflake data breach earlier this year.
We’ll look at kiberphant0m’s activities, credibility and possible connections, in addition to the state of telecom network security that got us to this point.
kiberphant0m’s Background and Ties
kiberphant0m first appeared on the English-language Breach Forums in January 2024. After a few replies to other threads in March, the TA first appeared to begin selling data in April, starting with a Chinese crypto casino database. A Telegram channel began operating around the same time.
Other activities have included selling:
- Access to a Ukraine government research server
- Access to a defense contractor
- A 175TB application breach
- Root access to a Chinese server with 95 domains, including some critical infrastructure sectors
- UK bank server access
- Indian and Asian telecom data and access
- Access to a European biomedical company
- Access to a mobile social media app
- SSH bot and server access
- Linux DDoS botnet source code
More recently, kiberphant0m has claimed a connection to UNC5537, the financially motivated threat group behind the Snowflake breach. Some posts have included the hashtag #FREEWAIFU, a reference to an alias of Alexander “Connor” Moucka, who was recently arrested and charged in the Snowflake breach by Canadian officials.
Threat intelligence researchers believe that kiberphant0m is more than a broker, having demonstrated proficiency in technical matters. The claimed connection to UNC5537 appeared more recently and needs additional indicators to make the association certain. The FREEWAIFU campaign may be a cover masking other connections. The timing of telecom network breaches close in time to the China-linked campaign is also of interest.
Krebs on Security reported yesterday that kiberphant0m may be “a U.S. Army soldier who is or was recently stationed in South Korea,” with activity going back to 2022 under other aliases.
There has been some degree of confidence that kiberphant0m is reliable and has a credible history of claims, and their Breach Forums reputation score is positive with no neutral or negative feedback.
Telecom Breach Claims, Including Trump and Harris Logs
On Nov. 5-6, kiberphant0m created four threads on Breach Forums – three related to Verizon and AT&T, and the NSA post.
The Trump and Harris call logs included a sample of Harris’ calls from 2022 and urged AT&T (ATNT) to contact them (image below). Another post offered Verizon Wireless PTT (push-to-talk) logs, including an SQL database, server logs and credentials, possibly obtained from a third-party service provider.
A third post offered Verizon Wireless SIM swapping services, and the fourth appears to be a Snowflake technical database schema allegedly belonging to the NSA (image below).
Those recent breaches don’t appear to include extremely sensitive information, but are nonetheless concerning, particularly given the lax state of telecom network security.
Lax Telecom Network Security
As Senate Intelligence Committee Chairman Mark R. Warner (D-Virginia) told the Washington Post last week, large U.S. telecom networks are “a hodgepodge of old networks … combinations of a whole series of acquisitions, and you have equipment out there that’s so old it’s unpatchable.”
Presumably much of that is end-of-life equipment like routers and switches. Warner told the Post that the networks remain compromised, and that fixing them could involve physically replacing “literally thousands and thousands and thousands of pieces of equipment across the country.”
Top national security officials met with telecom industry executives late last week to discuss a cooperative solution to the problem.
