Kroll August 2023 SIM Swap Attack

Incident Name: Kroll August 2023 SIM Swap Attack

Date of Incident: August 19th, 2023


Kroll is a global company providing organizations with risk and financial solutions. On August 19th, 2023, they discovered that a T-Mobile account belonging to a Kroll employee had been compromised by a threat actor, and T-Mobile had allowed the threat actor to transfer the employee’s phone number to their own device. It is alleged that once the threat actor gained access to the phone number, they were able to bypass multi-factor authentication (MFA) and access the employee’s account. As a result, the threat actor was able to access Kroll’s cloud-based assets, which included personal information such as names, addresses, emails, and debtor claim details of bankruptcy claimants from companies like BlockFI, FTX, and Genesis. Kroll has notified the affected customers about the breach of their data.

FTX and BlockFI, two affected companies, have released statements confirming that user passwords and funds were not impacted by this breach since it was specific to Kroll’s systems. Additionally, several individuals have reported receiving phishing emails related to this breach. FTX has shared examples of these emails on social media platforms. The phishing emails aim to deceive customers by impersonating FTX and encouraging them to withdraw their digital assets. The ultimate goal is to steal customers’ seeds in order to empty their crypto wallets.

Key Social Engineering/OSINT Themes:

  • Recon – Kroll employee and organizational information was harvested, including employee phone numbers and personal details. The threat actor leveraged exposed employee information to perform a SIM swap attack.
  • SIM Swap – The threat actor used the employee information to contact T-Mobile and swap their number to the threat actor’s SIM so that they would receive all employee SMS messages and calls. This access was then used to access the employee’s cloud-based account to access the data.

Picnic’s Recommended Remediations:
For detailed remediations, see the HASP Framework.

High Risk Employees

  • HASP Framework 1.1 — Identify high-value employee targets
  • HASP Framework 1.3 — Conduct social engineering risk assessments for high-value employee targets
  • HASP Framework 1.5 — Establish and implement procedures for high-value employee targets
  • HASP Framework 1.7 — Increase detection and monitoring for high-value employee targets

Exposed Employee PII

  • HASP Framework 2.1 — Identify exposed employee PII
  • HASP Framework 2.2 — Reduce exposed employee PII

Exposed Credentials

  • HASP Framework 3.1 — Identify exposed work credentials
  • HASP Framework 3.7 — Restrict service account access
  • HASP Framework 3.8 — Monitor for account takeover (including real-time alerts on exposed credentials)
  • HASP Framework 3.9 — Monitor for MFA configuration changes
  • HASP Framework 3.10 — Monitor for new MFA registrations

Exposed Remote Services

  • HASP Framework 4.2 — Identify exposed shadow IT
  • HASP Framework 4.4 — Manage shadow IT / remote access

Indicators of Attack

  • HASP Framework 7.1 — Monitor for suspicious external accounts
  • HASP Framework 7.2 — Request takedowns for suspicious external accounts
  • HASP Framework 7.3 — Alert your organization about suspicious external accounts
  • HASP Framework 7.4 — Monitor for suspicious domains
  • HASP Framework 7.5 — Block suspicious domains

Cyber Awareness

  • HASP Framework 8.1 — Train employees on social engineering attacks
  • HASP Framework 8.2 — Provide employees with social engineering phishing simulation training
  • HASP Framework 8.4 — Build and establish social engineering policies, processes, and procedures

Industry: Financial Services, Professional Services

Actor: Unknown

Motivations: Financial

Related Hacks: Coinbase / CoinsPaid

Breach Notice/Company Notice:

Other Sources:

Scroll to Top