IT giant Citycomp blackmailed to pay ransom after customer data breach

The bad actor managed to breach financial data of the largest corporations and asked for a ransom payment

An unknown hacker managed to break in to Citycomp's internal servers and steal sensitive information of company's clients

German IT provider Citycomp, client names of which include such high-profile enterprises as Airbus, Hugo Boss, Oracle, Volkswagen, BT, and others, suffered a targeted cyber attack. The threat actor managed to harvest financial information of the named companies and demanded ransom to be paid, or otherwise threatened to release the data to the public.

Citycomp is one of the largest internet infrastructure companies that operates more than 70,000 storage systems and servers worldwide. In addition, it also maintains approximately 500,000 pieces of IT equipment, such as PCs, printers, cash registers, and similar.

Citycomp declined to pay the ransom, so the hacker placed the data on the specially crafted website which is available to everybody to view. Nevertheless, the spokesperson for the company claims that all the affected customers have been informed about the incident:^[1]

CITYCOMP Service GmbH was the victim of a targeted cyberattack in early April 2019. As a result of the companies failure to comply with the threat actor the stolen data has now been published by the perpetrators and CITYCOMP’s customers were informed about it.

Citycomp declined to pay ransom of $5,000, so the perpetrator released the stolen information

The hacker, which goes by the pseudonym “Boris,” claimed that all the stolen financial and other private data is now located on a Tor-based site hidden on the dark web. The site also contains a bad actor's email address, which was previously used in ransomware campaigns, as Motherboard reports.^[2] The information is located in 312,570 files within 51,025 folders, which totals in 516GB.

It turns out that the most affected data comes from German representatives of such firms like Toshiba, Leica, Ericsson, Porsche, Volkswagen, UniCredit, and others, as the marked files include the “GmbH” title, a German name for limited liability company. It was also uncovered that a large-scale German supermarkets Kaufland and REWE were affected as well. Some of the victims had hundreds of related files listed, while others contained only a few.

According to The Register, the leaked data mostly included contact information of the Citycomp's customers, which included email addresses, phone numbers, and names, as well as some technical details, such as model and serial numbers of the IT equipment.

Citycomp started to work with the German law enforcement to clear the cybersecurity incident

Michael Bartsch, a Deutor Cyber Security Solutions director was assigned to handle all the aftermath of the data breach. In addition to the forensic investigation team, Citycomp also contacted G DATA Advanced Analytics GmbH and Federal State Police Baden-Württemberg, which are still investigating the attack, although Bartsch claims that there is no “risk of further infection of customer and partner systems.” He also claimed that some of the systems were disconnected as a precautionary measure, and extra security measures were taken by the affected company:^[3]

CityComp with the help and support of external experts and the State Criminal Police Office of Baden-Württemberg successfully fended off the attack and implemented supplementary security measures of all systems. The incident analysis of Deutor Cyber Security Solutions GmbH, G DATA Advanced Analytics GmbH and the Federal State Police Baden-Württemberg showed that at no point any indication for a risk of further infection of customer and partner systems, but for security reasons some of the systems have nevertheless been disconnected.

Initially, Citycomp was considering paying the ransom but later withdrew the idea because the details about the exploited vulnerability were uncovered and the flaw immediately patched, stopping the malicious actor from similar attacks in the future.

The attack on Citycomp was not based on ransomware, which has been the most prevalent threat among high profile organizations (SamSam, LockerGoga,^[4] GandCrab,^[5] etc.) in recent years. Therefore, most companies forgot that simple data theft is still an option, and they should improve the security of their internal networks to prevent such data compromise in the future.