[BreachExchange] Failed blackmail attempt prompts hackers to leak ocean of data belonging to major companies

Thu May 2 13:15:12 EDT 2019

https://www.zdnet.com/article/hackers-publish-516gb-of-data-belonging-to-some-of-the-largest-companies-worldwide/

A hacking group has published a trove of data belonging to Citycomp
which appears to have exposed the data of customers, some of which are
extremely well-known enterprise companies across the globe.

Citycomp is a German IT company which provides the IT backbone and
infrastructure required by enterprise companies. Citycomp says it
maintains over 70,000 services and storage systems, as well as
providing support and maintenance services for peripherals including
cash register systems and printers.

In a statement issued this week, the company said it was the victim of
a "targeted" cyberattack in early April this year.

While the company said it was able to "successfully fend off" the
"hacker attack" with the help of external cybersecurity experts and
the State Criminal Police Office of Baden-Württemberg, it was not
entirely successful -- as customer data had already been stolen.

The threat actors identities are unknown. However, it appears the
attack was simply about the money, as the hackers tried to force
Citycomp to pay a blackmail fee on the threat of the data entering the
public domain.

Citycomp did not comply and so customer data has been released.

"Since Citycomp does not comply with blackmail the publication of
customer data could not be prevented," the IT provider says. "The
stolen data has now been published by the perpetrators and Citycomp's
customers were informed about it."

The leaked data has been posted to a .onion domain, which is not
accessible in the "public" clear Internet. These domains can only be
accessed through the Tor network.

On the website, the threat actor claims that "312,570 files in 51,025
folders and over 516GB of data" was stolen, including "financial and
private information on all clients, include VAG, Ericsson, Leica, MAN,
Toshiba, UniCredit, and British Telecom (BT)."

Other Citycomp clients named in the data dump include ATOS, Grohe,
Hugo Boss, Oracle, SAP, and Porsche, among others.

In the data dump, which was viewed by ZDNet, customer email addresses
and telephone numbers, meetings reports, asset lists -- such as
servers and other equipment connected to a customer account -- as well
as some payroll records, project sheets, and accountancy statements
were all available.

Some clients were only connected to a handful of leaked documents,
whereas other customer records were far more robust and extensive. The
authenticity of the leaked data has not been verified at the time of
writing.

The ProtonMail email address posted with the information leak is
connected to a form of ransomware which encrypts files using the
.snatch extension. The ransomware strain in question was discovered in
December 2018.

The -- or one -- of the alleged hackers behind the campaign spoke to
the Register, telling the publication that the data currently
available online is only a sample of the whole and was published as
Citycomp did not pay a $5,000 ransom demand.

ZDNet has reached out to clients which appear to have been involved in
the breach, including BT, Ericsson, Hugo Boss, and SAP. At the time of
writing, none of the companies have responded to requests for comment.

Update 12.36 BST: Ericsson told ZDNet that "we refrain from commenting
on alleged data breaches at other companies."

Oracle said, "Citycomp previously provided on-site hardware break/fix
support to certain Oracle Retail and Food & Beverage customers in
Germany. Citycomp has never had access to Oracle systems."