[BreachExchange] Major Canadian Military Contractor Compromised in Ransomware Attack

Tue Jan 28 10:16:47 EST 2020

https://www.infosecurity-magazine.com/news/bird-construction-compromised-in/

A Canadian construction company that won military and government
contracts worth millions of dollars has suffered a ransomware attack.

General contractor Bird Construction, which is based in Toronto, was
allegedly targeted by cyber-threat group MAZE in December 2019. MAZE
claims to have stolen 60 GB of data from the company, which landed 48
contracts worth $406m with Canada's Department of National Defense
between 2006 and 2015.

In an email to the Canadian Broadcasting Corporation (CBC), a Bird
Construction company spokesperson wrote: "Bird Construction responded
to a cyber incident that resulted in the encryption of company files.
Bird continued to function with no business impact, and we worked with
leading cyber security experts to restore access to the affected
files."

MAZE's modus operandi is to demand a ransom from its victim to secure
the return of data that the group has stolen and encrypted. Victims
are warned that failure to pay up will result in the data's
publication. If a victim refuses to pay, MAZE's next move is typically
to publish a small quantity of the data it claims to have stolen to
show it means business.

According to Emsisoft threat analyst Brett Callow, MAZE has now
published data it claims to have stolen from Bird Construction. The
published files contain employees' personal data and information
relating to Canadian company Suncor Energy, with which Bird
Construction has worked on multiple projects.

Callow told Infosecurity Magazine: "Maze actually published some of
Bird’s data. The files included documents relating to Suncor and
records for a couple of Bird employees which included their names,
home addresses, phone numbers, banking info, social insurance numbers,
tax forms, health numbers, drug and alcohol test results—everything
that a criminal would need to steal their identity. And all that info
was posted on the clear web where anybody could’ve accessed it."

The published data, which Infosecurity Magazine has viewed, consisted
of two large PDF files, each relating to a separate Bird Construction
employee, plus documents detailing vehicle entry authorization and
alcohol and drug testing procedures at Suncor.

Callow added: "The big question is: what else did MAZE get and did any
of the data relate to Bird's government and military contracts?"

Bird Construction has not said whether a ransom was paid to its
cyber-attackers. Callow advised any company that gets hit by
ransomware not to pay up.

He said: "There is no way for a company to know that the data will be
deleted after a ransom has been paid. In fact, it probably will not be
deleted. Why would a criminal enterprise delete data that they may be
able to use or monetize at a later date?"