Two instances of major cyberattacks segregated in space and time are linked by a hidden objective. One targets a large pharmaceutical company in Asia and the other a large American heavy equipment manufacturer. These two cyberattacks, as per our research have a not-so-obvious connection. While on the surface, both attacks seemed to be motivated by monetary objectives, when one digs deeper, a more sinister link emerges.
Table of Contents
The smokescreen: Corporate Espionage
The actor involved in both these instances of cyberattacks was the Alphv hacker group. In the case of the pharma company, nearly 17 TB of data was exfiltrated from the company’s networks. While the hacker group was still negotiating with the victim business, it had also tried to sell the data through many breach forums. One may think this is something drawn straight from a hacker group playbook, but there is a possibility that the attack could have been motivated by corporate espionage and the whole drama of negotiations with the victim was just a smokescreen to bury the real objective beneath layers of fresh subterfuge.
There are various reasons to believe that this is the case. Let’s look at some of the evidence that points to this line of reasoning:
- The initial negotiations were initiated fairly late by the hacker
- Hackers did not put too much pressure on the company to fast-track the negotiations and though there were deadlines, the hackers didn’t take them seriously, and on multiple occasions, they offered generous extensions for payment
- Only 3 TB out of the 17 TB stolen was offered for sale. Unlike previous instances where nearly the whole data dump was put up for sale. The group has claimed that it will not be offering the entire lot of exfiltrated data to potential buyers and didn’t give any reason for this surprising move. As data ages, its value reduces significantly. So if Alphv was trying to hoard the data for a potential sale much later then its chances of getting a fair value for the lot is much less. Alphv may have factored this in while it was planning the attack and during the negotiations as well.
- The hackers have claimed that they are in possession of confidential research information
- They have also claimed that they have obtained the personal documents of company employees and that they have access to the systems of the victim a month after the attack
A careful analysis of the above information points to the actor having secured some form of monetary gains from the hack even before Alphv put forth its first ransom demand. Typically, after attacking a victim, hackers try their best to put pressure on victims to yield ransom quickly. The longer the negotiations stretch, the higher the chances for the victim to reverse the encryption and regain access to their systems, and lockout hacker access. Despite this threat, Alphv allowed the negotiations to go on without putting any significant pressure on both victims.
Wasn’t Alphv serious about ransom? How could this be?
It is possible that in both these instances, Alphv was contracted by some entity to exfiltrate specific data from the servers and networks of its victims (for a price, of course). The subsequent half-hearted ransom demand was just an attempt to cover tracks and pretend this was just a regular cyberattack. While such instances are far and few, they do happen.
As hacker groups diversify their revenue streams espionage becomes another revenue spinner for them and knowing the highly competitive segments these two businesses are in and the behavior shown by the threat actor, it is possible that Alphv was in touch with a competitor for sale of the stolen data even before it was exfiltrated.
Sectrio’s IoT and OT Specific threat intelligence feeds
We are giving away threat intelligence for free for the next 2 weeks. Find out how you can sign up and try out our threat intelligence feeds
Find out what is lurking in your network. Go for a comprehensive 3-layer threat assessment now