What Happened Yesterday with T-Mobile? And was it a DDoS Attack?

For most of yesterday, it was reported that a large portion of cellular provider T-Mobile’s network was down. As a result, many customers couldn’t place calls, surf the internet, or in some cases, send text messages. That spiraled into reports of other services, like Instagram, being unavailable, and ultimately, a Twitter account associated with hacker collective Anonymous weighed in with the following ominous looking tweet about a DDoS:

“Hold up - what’s a DDoS again?”

You may remember from another ACT post that a Distributed Denial of Service attack, or DDoS (pronounced dee-daws), is a type of cyber attack that attempts to overwhelm a company, server, or even an app by bombarding it with bad or junk requests. These requests cause normal processes (like searching the web, uploading photos, or even serving up the freshest memes) to stop working correctly; effectively bringing down a website, taking servers offline, and ultimately not allowing an organization to conduct business over the internet until it stops.

What makes a DDoS attack tricky is the “distributed” nature of it. The attacks will appear to be coming from all over the globe, usually from computers and servers that are infected with malware. This means that many people don’t realize that their computer is part of a DDoS attack. Even worse, the “distributed” nature of the attack prevents IT and cybersecurity teams from easily blocking the offending requests and stopping the attacks.

Over time, technology has gotten better about stopping these attacks, and some companies, have stepped up to provide DDoS remediation technology through the use of the cloud.

“So what actually happened?”

While the full story hasn’t been disclosed yet, the issue appears to be related to the T-Mobile and Sprint merger. Following any merger of two companies, executives will often look for opportunities to save costs by identifying redundant processes. This could include people, physical assets (like office space), and especially technology. For example, if one company was paying to use Microsoft for email, and the other was paying to use Google, the now merged company would be paying twice to do the same thing: send email. Ideally, they would move everyone to one email company and save a lot of money.

However it’s not always that simple. Think about your organization and how many processes rely on email alone - like support tickets, notifications from clients, or even using it as your username to login to some websites. You can’t just flip a switch and turn it off. It takes careful planning to identify every process and contingency, and oftentimes, IT integrations won’t be complete until years after a merger. This is because first, second, and third order impacts need to be carefully mapped out so that nothing “breaks.”

In the story with T-Mobile, the most likely answer is that this was an IT integration gone wrong. Just as you need to carefully plan before turning off a redundant email service, it’s likely that something just wasn’t identified before a change was made. When the change was made by T-Mobiles IT personnel, it was most likely the cause ofT-Mobile’s network coming to a standstill until they were able to fix it; most likely by reversing the change. T-Mobile CEO Mike Sievert confirmed there was an issue and that it has since been corrected, but T-Mobile has not yet confirmed the root cause of the issue.

“Ok, but what’s all this about a DDoS attack?”

When an organization is dealing with a potential cybersecurity incident, we always recommend gathering as much information as possible. That way, decision makers can identify if other issues are connected to the original issue, or, identify if they’re not related at all. In the absence of information, a large number of people on the internet decided that any issue on the internet at that moment must be connected to the T-Mobile issue - like Instagram and Fortnite being unavailable. So when the Twitter account associated with the hacker group Anonymous published the “definitive” answer to the problem as a DDoS attack against the United States, everyone jumped on the bandwagon - including some politicians:

The problem here is that the image shown is on the Anonymous tweet is very misleading. Almost every. large. cybersecurity. company. provides. one. of. these. “attack dashboards.” More often than not, they are just shown on a TV in the cybersecurity team’s office anytime someone from the leadership team walks in. It looks cool, but it actually doesn’t tell you anything Side note - this is our favorite one because it uses ridiculous captions and makes “pew pew” noises (click on the screen to activate the noises), which is commensurate with the actual use for it.

Most of these dashboards track “cyber attacks,” however all of them are incapable of telling if the attacks are successful. For example, a lot of the cyber attacks mapped out are “port scanners” - which is like if someone is walking around your house checking the doors to see if they’re unlocked. Alarming? Absolutely. But not a cyber attack. Port scanners are running around the globe constantly every day and really amount to a little more than noise for most companies.

“Got it. What’s the end result then?”

Unfortunately this story is still developing. As with most IT problems at organizations, we may never find out the whole truth and the overall risk to you is low - but it’s still an interesting story. The FCC is launching an investigation, but it likely will amount to little or no public disclosure by T-Mobile:

So were the events of June 15, 2020 a DDoS attack against the United States? All signs point to no. And the next time you see a “definitive” source on the web with an easy answer to an ongoing problem, stop, think, and read some trustworthy sources before you retweet.

If you ever have a question about cybersecurity, you can always reach us via email at cyberhelp [at] hivesystems.io. And if your organization is getting ready for a merger, make sure you consider cybersecurity. The impact of poor cybersecurity planning could end up costing your organization millions, so set up a time to talk with Hive Systems today about our Cybersecurity Policy & Controls to help you prepare.

Follow us - stay ahead.

Read more of the ACT