Vodka Producer Files for Bankruptcy Following Cyberattack

Cybercrime,
Fraud Management & Cybercrime,
Incident & Breach Response

Trinity Ransomware Group Claims Breach of Spanish Tax Agency, Law Firm Reports Significant Data Theft

Anviksha More –
December 5, 2024

Information Security Media Group (ISMG) provides a weekly overview of significant cybersecurity incidents and data breaches worldwide. Recent reports indicate that the vodka manufacturer Stoli Group has declared bankruptcy after a devastating ransomware attack. Meanwhile, the Trinity ransomware group mistakenly claimed to have intruded into the Spanish Tax Administration Agency (AEAT), triggering concerns about data security. Furthermore, a recent cable cut in Finland is now believed to be an accident rather than sabotage. In other developments, hackers have stolen data from Japanese online shoppers, while Chemonics International, a U.S. government contractor, and the law firm Keesal, Young & Logan both reported breaches of sensitive data. Additionally, an expansive cybercrime operation labeled Operation HAECHI-V led to the apprehension of over 5,500 individuals across 40 countries, with $400 million in seized assets. The report highlights a noticeable increase in cyberattacks targeting both the United Kingdom and U.S. infrastructure, with ENGlobal, an energy contractor, being a recent ransomware victim.

In a move that underscores the devastating impact of cybercrime, U.S.-based subsidiaries of Stoli Group, namely Stoli USA and Kentucky Owl, filed for bankruptcy on November 27. The filing cites a ransomware attack from August and ongoing conflicts with the Russian government as contributing factors to their financial woes. Stoli USA’s CEO, Chris Caldwell, indicated that the attack severely disrupted its enterprise planning systems, necessitating a shift to manual accounting processes, a situation expected to persist into early 2025.

The ramifications of the incident extend beyond operational disruption, as failure to provide financial reports to lenders resulted in claims of default on $78 million in debts. Compounding these challenges, Russian authorities have confiscated distilleries valued at $100 million, contending that Stoli Group is linked to extremist activities due to its founder’s support of Ukraine amidst geopolitical tensions.

The ransomware group Trinity recently asserted it had stolen 560 gigabytes of data from the AEAT, only for the agency to refute these claims. Following an internal investigation prompted by Trinity’s December 1 announcement on its dark web leak site, AEAT officials revealed there is no evidence suggesting that its systems or data had been compromised. Instead, it appears that the attackers mistakenly targeted a private firm engaged in tax and labor-related services.

Historically, such mix-ups are not uncommon in ransomware attacks. Prior incidents have illustrated how cybercriminals can erroneously identify their targets, raising important questions about the sophistication of their reconnaissance efforts prior to initiating attacks. The potential tactics employed in this instance may inspire executives to evaluate their own cybersecurity strategies and enhance their defenses against similar mistakenly targeted attacks.

The Finnish police have declared that a recent break of a fiber optic cable connecting Finland to Sweden, which impacted thousands of businesses, was not a result of nefarious actions but rather due to excavation activities. This conclusion follows a thorough investigation that confirmed no criminal activity was involved. This incident closely follows another severe cable cut reported in November, which is under investigation for potential sabotage.

In a significant data breach, hackers have reportedly compromised the personal information of at least 100,000 customers from 11 online retailers in Japan, including Tully’s Coffee. Utilizing remote tampering methods through inserted malicious code, the attackers went undetected for an extended period. Investigations by the Tokyo Metropolitan Police suggest potential involvement from international criminal groups.

U.S.-based Chemonics International has disclosed a major data breach that compromised the personal information of over 263,000 individuals. The breach, which began in May 2023, saw attackers navigating the company’s networks undetected until its detection in December. The contractor, known for its extensive work with the U.S. Agency for International Development, continues to assess the full impact of the breach.

The California-based law firm Keesal, Young & Logan has notified over 316,000 individuals of a data compromise detected in June. According to the firm’s report, an unauthorized actor accessed sensitive information stored within their network during a brief window. The nature of the data exposed includes Social Security numbers, financial account specifics, and medical information, underscoring the escalating threats facing legal firms amidst a rise in cyber incidents.

A substantial international operation led by Interpol, dubbed Operation HAECHI-V, resulted in over 5,500 arrests and the seizure of $400 million in both virtual and traditional currencies. This extensive operation spanned from July to November, involving 40 countries, and focused on a multitude of financial crimes. These efforts highlight growing coordination among international law enforcement agencies in combating cyber threats.

The National Cyber Security Centre (NCSC) reported a significant increase in severe cyberattacks across the UK in 2024, marking a critical concern for organizations reliant on digital infrastructure. With 1,957 incidents recorded, 89 were classified as impacting essential services, with heightened severity evident in government and critical sectors. The ongoing geopolitical conflict, especially the Russia-Ukraine war, has intensified these threats, with ransomware identified as a predominant risk.

In another alarming incident, U.S. energy contractor ENGlobal reported its IT systems remain severely limited due to a ransomware attack detected on November 25. The extent of the data breach remains unclear, but the company indicated that current operations are restricted to essential functions only. Given ENGlobal’s integral role in supporting the Department of Defense and other critical sectors, this incident raises serious questions about the ongoing vulnerabilities faced by organizations involved in sensitive infrastructure projects.

This roundup serves as a reminder of the increasing sophistication of cyber threats and the diverse tactics employed by adversaries. Assessing encountered incidents through the lens of the MITRE ATT&CK framework may aid organizations in fortifying their defenses against potential future attacks.