A hack attack is most of the time discovered by a deviation in the normal call destinations of the company involved often leading to a ‘Limits reached’ notification. Typically in the call reports you will see a large amount of calls to unusual destinations.
In general the gathering/hacking of device's authentication details happens independent of the actual abuse. The modus operandi is that the account details are gathered during the day. Next the account details are sold and/or a team of people/an automated system starts outbound calls during the night to numbers they profit from.
In order to prevent these fraudulent actions, please make sure to:
never configure the management interface (e.g. web, telnet, ssh) of any SIP device (e.g. phone, router with ata, intercom) to be accessible from the internet;
have IP(s) whitelisted on the Company panel for a device;
change access device passwords to different from default,
assign a whitelist to the company.
In case the device has been hacked, it is required to delete and recreate the line or device, since this will generate a new username and password. Please, note the procedure should performed [again] if there any relevant changes in the firewall are required.
Further on please make sure all recommended measures listed above are fulfilled.