Global Telecom Solutions (GTS) experienced a coordinated ransomware and data theft extortion campaign carried out by UNC3944 in early 2023. The adversary exploited help desk personnel through targeted social engineering calls impersonating internal IT staff to reset authentication controls and disable multi-factor protections. Once inside, UNC3944 deployed a double-extortion ransomware payload that encrypted critical systems, including billing platforms, network management consoles, and customer service tools, halting all voice and data services. Simultaneously, they exfiltrated sensitive customer records such as names, addresses, call histories, and SIM card assignment data. The malicious actors demanded a substantial ransom, threatening to release stolen files publicly and auction them on dark-web forums if payment was not made within the specified timeframe. GTS faced significant operational downtime lasting multiple days, resulting in revenue losses exceeding tens of millions of dollars and widespread customer dissatisfaction. The breach also triggered regulatory investigations and notification obligations, further amplifying legal and compliance costs. Brand reputation suffered irreparable damage as competitors and news outlets highlighted the scale of the incident. GTS invested heavily in incident response, forensic analysis, and remediation measures, yet recovery timelines extended for months due to the complexity of decrypting data and restoring backup integrity.
Source: https://cybersecuritynews.com/unc3944-hackers-evolves-from-sim-swap-to-ransomware/
TPRM report: https://scoringcyber.rankiteo.com/company/global-telecom-solutions
"id": "glo546050725",
"linkid": "global-telecom-solutions",
"type": "Ransomware",
"date": "5/2025",
"severity": "100",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Telecommunications',
'name': 'Global Telecom Solutions (GTS)',
'type': 'Telecommunications Company'}],
'attack_vector': 'Social Engineering, Double-Extortion Ransomware',
'data_breach': {'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Names, addresses, '
'call histories, SIM '
'card assignment data',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Customer records'},
'date_detected': 'Early 2023',
'description': 'Global Telecom Solutions (GTS) experienced a coordinated '
'ransomware and data theft extortion campaign carried out by '
'UNC3944 in early 2023. The adversary exploited help desk '
'personnel through targeted social engineering calls '
'impersonating internal IT staff to reset authentication '
'controls and disable multi-factor protections. Once inside, '
'UNC3944 deployed a double-extortion ransomware payload that '
'encrypted critical systems, including billing platforms, '
'network management consoles, and customer service tools, '
'halting all voice and data services. Simultaneously, they '
'exfiltrated sensitive customer records such as names, '
'addresses, call histories, and SIM card assignment data. The '
'malicious actors demanded a substantial ransom, threatening '
'to release stolen files publicly and auction them on dark-web '
'forums if payment was not made within the specified '
'timeframe. GTS faced significant operational downtime lasting '
'multiple days, resulting in revenue losses exceeding tens of '
'millions of dollars and widespread customer dissatisfaction. '
'The breach also triggered regulatory investigations and '
'notification obligations, further amplifying legal and '
'compliance costs. Brand reputation suffered irreparable '
'damage as competitors and news outlets highlighted the scale '
'of the incident. GTS invested heavily in incident response, '
'forensic analysis, and remediation measures, yet recovery '
'timelines extended for months due to the complexity of '
'decrypting data and restoring backup integrity.',
'impact': {'brand_reputation_impact': 'Irreparable damage',
'customer_complaints': 'Widespread customer dissatisfaction',
'data_compromised': 'Customer records including names, addresses, '
'call histories, SIM card assignment data',
'downtime': 'Multiple days',
'financial_loss': 'Tens of millions of dollars',
'legal_liabilities': 'Regulatory investigations and notification '
'obligations',
'operational_impact': 'Halted all voice and data services',
'revenue_loss': 'Tens of millions of dollars',
'systems_affected': ['Billing platforms',
'Network management consoles',
'Customer service tools']},
'initial_access_broker': {'data_sold_on_dark_web': 'Threatened to auction on '
'dark-web forums',
'entry_point': 'Help Desk Personnel'},
'investigation_status': 'Ongoing regulatory investigations',
'motivation': 'Financial Gain, Data Theft',
'post_incident_analysis': {'root_causes': 'Social engineering of help desk '
'personnel'},
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes',
'ransom_demanded': 'Substantial'},
'regulatory_compliance': {'regulatory_notifications': 'Yes'},
'response': {'incident_response_plan_activated': 'Heavily invested in '
'incident response',
'remediation_measures': 'Decrypting data and restoring backup '
'integrity',
'third_party_assistance': 'Forensic analysis'},
'threat_actor': 'UNC3944',
'title': 'Global Telecom Solutions Ransomware and Data Theft Incident',
'type': 'Ransomware and Data Theft',
'vulnerability_exploited': 'Human (Help Desk Personnel)'}