AT&T employees bribed $1m to install rogue wireless access points on corporate network

Rogue wireless access points used to infiltrate network enabling attackers to unlock two million smartphones

AT&T Mobility staff were bribed $1 million over five years to install rogue wireless access points on the company's corporate network, enabling the attackers to run a business unlocking AT&T smartphones. The attack centred on AT&T's call centre in Bothell, Washington State.

Initially, the conspiracy, led by Pakistan-based Muhammad Fahd and Ghulam Jiwani, used the insiders to submit large numbers of IMEI numbers to unlock the devices that AT&T had supplied to customers as part of a mobile plan.

From around April 2013, Fahd and Jiwani, according to the indictment, bribed their contacts to install malware on AT&T's corporate network that would enable them to submit IMEI numbers themselves, using the network credentials of AT&T employees.

The rogue wireless access points were installed in November 2014 after the malware was discovered. These devices were only discovered in September 2017.

"The unauthorised computer hardware devices, like the malware, used network credentials that belonged to actual AT&T employees, including co-conspirators and others, and allowed Muhammad Fahd… to log into AT&T's internal protected computers under false pretences and to process fraudulent and unauthorised unlock requests," the indictment claims.

According to the prosecutors, more than two million unlock requests were filed through the system in this way.

AT&T wasn't completely oblivious to what was going-on on its internal network: the malware was identified by the company's security staff in October 2013, and staff involved in the conspiracy were sacked. However, Fahd and Jiwani used Facebook and other tools to recruit new insiders and came up with the plan to install rogue wireless access points on the network instead.

"Muhammad Fahd provided the hardware devices to co-conspirators, including current and former AT&T insiders who tested the devices. Upon perfecting the operation of the devices, Muhammad Fahd provided the devices to insiders who plugged the devices into AT&T's internal protected network without authorisation to facilitate the unlocking of phones in furtherance of the conspiracy," the indictment continues.

The bribes were made both by Western Union money transfer, as well as directly - with Jiwani, flying to the US to hand over the bribes directly to the co-conspirators in at least one instance.

The indictment underscores the security risks posed by rogue insiders - a warning illustrated by the Edward Snowden NSA leaks.