Clearly, while our telephony gateway sat naked on the Internet, someone had scanned our IP address space (an activity that we have found to be constant) and discovered the open port. It was a simple matter after that for that person to point his own IP gateway to our infrastructure and route calls through us. Such activities can be profitable. They can be done with free, open-source PBX software such as Asterisk or SIP Witch. Once an open and unauthenticated port has been found, the bad guys can either sell the discovery to others, who can then make a free connection, or sell discounted minutes.
So we were able to plug a hole that had cost us several thousand dollars, but management wouldn't really be happy unless we could recoup those losses. Our telco provider wasn't encouraging. It said our losses didn't justify the resources necessary to conduct an investigation and a hunt for the bad guys. The consultant, on the other hand, has acknowledged its error and has promised to reimburse us.