ktsdesign - Fotolia

Cyber gangsters publish staff passwords following ‘Sodinokibi’ attack on car parts group Gedia

Sodinokibi hacking group steps up pressure on German automotive manufacturer by publishing information, including the CEO’s computer password and sensitive details of its IT systems, on the internet

Cyber criminals have threatened to raid the bank accounts of customers and employees of German automotive group Gedia, following a major cyber attack on the company’s headquarters last week.

Gedia Automotive Group, based in Attendorn, has been forced to shut down its IT systems and send home more than 300 employees from its head office following the cyber attack on 21 January.

The cyber crime group, Sodinokibi, which uses ransomware to extort companies into paying a ransom to recover their data, claimed responsibility for the attack.

The criminals have stepped up pressure on the company by publishing a cache of confidential data seized from one Gedia employee on the internet.

The data includes passwords of Gedia staff, including that of chief executive Markus Schaumburg, plans of the company’s datacentre, computer network diagrams and details of the company’s file backup systems.

Gedia has filed a criminal complaint with police in Hagen, according to local press reports. Police told LokalPlus they were trying to assess the situation.

Gedia published a statement on its website on 23 January, saying the attack had “far reaching consequences” for the entire group – which has operations in Spain, Poland, Hungary and the US. It has since deleted the statement.

Gedia stated on its website that it would take weeks or months before its systems were fully up and running

Sodinokibi claimed in a post on two underground Russian-speaking hacking forums on the dark web that it had 50GB of sensitive data, including blueprints and employees’ and clients’ details, and would publish them unless the company paid up.

The group released a cache of hacked documents it claimed were in answer to comments made by CEO Markus Schaumburg.

The group, posting under the name “UNKN” or “Unknown”, threatened to start exploiting financial data it claims to have seized from the company.

“Answering to Mr Schaumurg’s comment, we attach an archive of your employee Philip. This archive contains the full information on internal infrastructure, backup plans, network and of the RoyalTS software,” the group said.

“As a bonus we attach the unencrypted dump of the domain controller. Another comment like this – we’ll start using the financial data of the company, your clients and employees. Of course, we’ll notify them why money has disappeared from their accounts. You have 7 days. We’ll be tougher next time.”

The threat marks a disturbing change in tactics by the crime groups behind the Sodinikobi ransomware, said Irina Nestrovosky, head of research for Israeli security company and specialist in darknet threat intelligence, Kela, which monitors hacking groups.

Until the start of this year, the Sodinokibi group has demanded ransoms to decrypt company computer systems, but publishing stolen data is a new trend, she said.

“Unknown” has made similar threats following ransomware attacks against Travelex and US IT services company Artech Information Systems this month.

Ich bin cool

The cache of data from Gedia released by the group on the internet includes details of employees’ user names and passwords, many of which appear to be easily guessable, including Hallo1234512, qwertzui2! – made up from adjacent letters on the German qwertz keyboard – and Ichbincool4.

Other files give details of Gedia’s backup systems, storage arrays, Cisco routers and physical plans of buildings marking the location of servers.

The attackers released a file containing scans of Gedia’s Microsoft Active Directory, containing details of sensitive user names and passwords, as proof that they have infiltrated the company’s networks.

It reveals that the hackers used a security tool, known as ADRecon, supplied by the Australian security company Sense of Security, that was also used in previous Sodinokibi attacks, to extract data from Gedia.

Critical systems running

The company did not return calls from Computer Weekly, but it said in a now deleted statement on its website that it had put emergency plans in place to ensure continued production, supply and delivery of customer orders.

“The critical systems are running. External security experts support the analysis and repair of the damage,” the statement said.

The crime groups behind Sodinokibi access company computer systems through a variety of techniques, including phishing attacks, vulnerabilities in VPN services and Microsoft’s Remote Desktop Protocol, designed to allow technicians remote access to computers.

Insecure server

Research by US security company Bad Packets shows that Gedia had a Pulse Secure VPN server that lacked key security updates until at least 10 January 2020. The server is now offline, its chief research officer, Troy Mursch, told Computer Weekly.

The UK’s National Cyber Security Centre (NCSC) and the US National Security Agency (NSA) issued an alert warning that cyber criminals were attempting to infiltrate organisations worldwide through vulnerabilities in Pulse Secure and other VPNs in October last year.

The US Cybersecurity and Infrastructure Security Agency (CISA) issued a further warning about vulnerabilities in Pulse Secure VPNs on 10 January this year, in the wake of a surge in ransomware attacks at the start of 2020.

“Although Pulse Secure disclosed the vulnerability and provided software patches for the various affected products in April 2019, the Cybersecurity and Infrastructure Security Agency continues to observe wide exploitation,” it said.

Other cyber security researchers have suggested that the hackers may have exploited a vulnerability in the company’s Citrix servers, after noticing a spike in hackers selling Citrix logins on Russian hacking forums around the time of attack on Gedia.

Security researcher “Under the Breach” said on Twitter that there was a “high probability” that the attackers used a Citrix exploit.

Additional research by Matt Fowler

Read more on Data breach incident management and recovery

Data Center
Data Management