Federal authorities have reportedly arrested a U.S. Army soldier in connection with a series of cyberattacks that compromised AT&T Inc. and Verizon Communications Inc. customers’ data.

Prominent cybersecurity journalist Brian Krebs broke the news on Monday. Cameron Wagenius was reportedly apprehended on Dec. 20 near a U.S. Army base in Texas. According to Krebs, Wagenius is known by the hacker pseudonym Kiberphant0m.

The two-page indictment that preceded the arrest doesn’t detail the cyberattacks at the center of the case or the organizations affected. However, Krebs reported that conversations with Wagenius’ mother and a cybersecurity researcher made it possible to piece together what happened.

The indictment reportedly relates to cyberattacks that compromised the information of AT&T and Verizon customers. The AT&T records were stolen from the carrier’s Snowflake environment, which was breached as part of a hacking campaign came to light in June. Google’s Mandiant unit, which uncovered the campaign, determined that it affected more than 160 Snowflake users.

The cyberattacks didn’t exploit a software vulnerability. Rather, the hacker behind the campaign used login credentials stolen in previous breaches to sign into the affected organizations’ Snowflake accounts. 

In July, AT&T revealed that the hacker stole six months’ worth of call and text message logs about practically all its customers. The dataset included the numbers that customers called, the duration of their calls and related details. The hacker also accessed certain technical data, notably the unique identifier of the cell towers that processed the affected users’ communications.

Last month, Canadian authorities arrested the person believed to be behind the cyberattacks. Before the arrest, the hacker told Krebs that he “had no interest” in selling the data obtained through the Snowflake account breaches. Instead, he reportedly relegated the task to other hackers such as Wagenius.

According to Krebs, Wagenius is a U.S. Army communications specialist who was stationed in South Korea for the past two years. He reportedly worked on “radio signals and network communications.”

Shortly after the arrest of the suspect in the Snowflake case, Wagenius posted the purported call logs of President-elect Donald Trump and Vice President Kamala Harris to a hacker forum. He threatened to publish more logs unless AT&T pays a ransom. 

Last month, Wagenius offered to sell stolen call logs from Verizon’s pay-to-talk app. The service is widely used among U.S. government agencies and first responders

In a follow-up post published a few days later, Wagenius reportedly offered a SIM swapping service designed to target users of Verizon’s pay-to-talk app. SIM swapping is a type of cyberattack in which a hacker tricks a carrier into transferring a phone number from the victim’s handset to a malicious device. The malicious device can subsequently be used to intercept the victim’s communications.

According to Krebs, it appears Wagenius was also involved in other hacking activities. Last year, he reportedly offered to sell remote login credentials stolen from a U.S. defense contractor. Additionally, Wagenius has reportedly claimed to have operated a large botnet, or network of malicious devices, for launching distributed denial-of-service attacks. 

Prosecutors originally filed the indictment against Wagenius with a Texas court. The case has since been transferred to the U.S. District Court for the Western District of Washington in Seattle.

Photo: AT&T