[BreachExchange] Toshiba Business Reportedly Hit by DarkSide Ransomware

[Destry Winant]

https://www.infosecurity-magazine.com/news/toshiba-business-hit-darkside/

A subsidiary of Japanese tech giant Toshiba has admitted suffering a
cybersecurity breach reportedly caused by the DarkSide ransomware gang.

Toshiba Tec Corporation — which makes printing, scanning and other office
equipment — revealed the incident in a statement on Friday.

Although the update did not confirm whether any customer data was taken in
the incident, Toshiba admitted that “it is possible that some information
and data may have been leaked by the criminal gang.”

The firm has contacted the relevant authorities in Europe, where the
attackers struck, and is working with third-party cyber experts to find out
exactly what happened.

“The group also took actions to stop the networks and systems operating
between Japan and Europe, as well as those operating among European
subsidiaries, with the aim of preventing the spread of damage while
deploying recovery measures sequentially once effective data backup has
been completed,” it added.

“In addition, the group is proceeding to identify the content and extent of
the possible damage through conducting investigations by the outside
specialized organization.”

Although not mentioned by name in the statement, the infamous DarkSide
ransomware group linked to the recent Colonial Pipeline attack, was flagged
by a representative from Toshiba’s French subsidiary, according to Reuters.

The newswire quoted a senior malware analyst from Mitsui Bussan Secure
Directions who appears to be working on incident response, as saying:
"There are around 30 groups within DarkSide that are attempting to hack
companies all the time, and they succeeded this time with Toshiba.”

The report claimed over 740GB of data had been stolen, including passport
scans and other personal information.

However, efforts to confirm the involvement of the group have been
complicated by disruption to its operations. Reports suggest DarkSide’s TOR
site has been closed down and servers seized, although it’s unclear whether
this is a law enforcement operation or simply a tactic from the group
itself designed to take the heat off after its widely publicized raid on
the East Coast fuel pipeline.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210517/2da3b0e7/attachment.html>