Incident Details
In early September last year, the American branch of the Chinese multinational company Hangzhou Great Star Industrial Co., Ltd (Great Star) chose to engage in negotiations with the Akira ransomware group to prevent the release of confidential administrative and corporate information. They agreed to pay a ransom of 1 million dollars in a BTC wallet. The discussions with Akira took place through a chat arranged by the ransomware group and concluded on September 2nd when the American headquarters in Huntersville, North Carolina, decided to comply with Akira's demands. Akira claimed to have obtained three databases during the cyber-attack on American servers by exploiting credentials acquired from the dark web. The negotiation revealed that the attack involved Kerberoasting, a method targeting Microsoft Active Directory authentication. Akira disclosed details like purchasing initial network access from the dark web, carrying out kerberoasting to obtain password hashes, and ultimately acquiring the domain admin password. The compromised databases belonged to three main subsidiaries of the Chinese parent company Hangzhou Great Star Industrial Co., Ltd. During the chat, it was noted that Akira initially demanded 2 million dollars in cryptocurrency as ransom, but this amount later increased to 2.4 million dollars due to the additional data they held from two other companies linked to Hangzhou Great Star Industrial Co., Ltd.
Incident
How Did the Breach Happen?
During this incident, the attackers exploited the Kerberos authentication mechanism employed by Microsoft Active Directory, known as Kerberoasting. By obtaining credentials from the dark web, the ransomware group managed to enter the network and then proceeded to capture password hashes. Through a brute-force method, they successfully uncovered the domain admin password.
What Data has been Compromised?
During the cyber attack, three databases owned by significant subsidiaries of Hangzhou Great Star Industrial Co., Ltd were breached.
Why Did the company's Security Measures Fail?
The security of the company was compromised when the ransomware group obtained credentials from the dark web, suggesting potential vulnerabilities in the company's authentication procedures and security measures.
What Immediate Impact Did the Breach Have on the company?
In order to prevent the disclosure of sensitive administrative and corporate information, the American branch of Great Star Industrial Co. opted to engage in discussions with a ransomware group and agreed to pay a sum of 1 million dollars.
How could this have been prevented?
Enhancing the firm's authentication procedures, enhancing security measures, and consistently addressing and fixing vulnerabilities in their systems could have averted this breach.
What have we learned from this data breach?
The significance of upholding strong security protocols, consistently updating and fixing vulnerabilities, and performing comprehensive audits to detect and rectify any system weaknesses has been underscored by this breach of data.
Summary of Coverage
In September 2021, the American division of Great Star Industrial Co. fell victim to a ransomware incident that led to the breach of three databases associated with key subsidiaries of the organization. The attack exploited vulnerabilities in the company's security protocols, utilizing the Kerberos authentication system. In order to avoid the exposure of confidential information, Great Star Industrial Co. opted to engage in discussions with the ransomware perpetrators, ultimately agreeing to pay a ransom of $1 million.