French IT Services Firm Hit by Ransomware AttackInetum Ensures Log4J Vulnerability Was Not Exploited
French IT services firm Inetum Group has confirmed that it was the subject of a ransomware attack last week that disrupted certain operations.
Inetum Group says the ransomware attack occurred on Dec. 19 and affected its operations in France, but it ruled out any links to the Log4j vulnerability.
The company said that none of its infrastructures, communication, collaboration tools or delivery operations for its clients were affected.
"Within the affected perimeter, all servers have been isolated and client VPNs have been switched off. Following these initial measures and as a precaution, the dedicated crisis unit within the Group immediately asked Inetum's operational teams to deactivate certain client interconnections deemed sensitive at the time," the company says.
The company also states that it has identified the signature of the unnamed ransomware group, which it says it has communicated to the authorities at France's National Information Systems Security Agency - the country's main cybersecurity agency.
"Inetum has already notified the prosecuting authorities and is working closely with their specialized cybercrime units. The Inetum Group has also decided to call in a Security Incident Response service to benefit from the support of a trusted third party," according to the company.
Inetum Group operates in more than 26 countries, has nearly 27,000 employees and in 2020 generated revenues of 1.966 billion euros ($2.2 billion), according to its website.
The company provides digital services to customers in various sectors including aerospace and defense, chemicals and life sciences, banking, automotive, energy and utilities, healthcare, insurance, retail, public sector, logistics, telecom and others.
Information Security Media Group was not able to contact an Inetum Group spokesperson for comment on Saturday.
The company did not disclose the name of the ransomware group, but Valéry Rieß-Marchive, the editor-in-chief at French publication LeMagIt, says that the new BlackCat ransomware, also known as ALPHV and Ransom.Noberus, was behind the attack at Inetum Group.
Symantec, a division of Broadcom Software, which spotted the ransomware on a victim organization on Nov. 18, saw three variants of Noberus deployed by the attackers over the course of that attack.
"Noberus is an interesting ransomware because it is coded in Rust, and this is the first time we have seen a professional ransomware strain that has been used in real-world attacks coded in this programming language," according to the Threat Hunter Team at Symantec.
The operators behind the ransomware carry out a typical double extortion-ransomware attacks in which they first steal information from victim networks and then encrypting files. Noberus adds the .sykffle extension to encrypted files.
Symantec also reported that the developers behind this ransomware are seeking affiliates on Russian-speaking hacking forums, which they assume means that the number of malicious actors deploying this ransomware is likely to grow.
Other French Victims
Earlier this year, French security vendor Stormshield launched an investigation after an internal review found that hackers had accessed the source code of the company's network security product (see: French Security Firm Says Hackers Accessed Its Source Code).
Stormshield acknowledged that the company had sustained a breach and that unknown hackers had accessed the source code of its Stormshield Network Security product.
The firm supplies firewalls and other products to the French government and the military, and some of its tools carry the highest certification issued by ANSSI, the country's main cybersecurity agency.
In Oct. 2020, French IT services firm Sopra Steria confirmed that its internal infrastructure had sustained a ransomware attack that disrupted its operations, with a full recovery expected to take weeks (see: French IT Services Firm Confirms Ryuk Ransomware Attack).
Sopra Steria said it had been hit with a variant of the Ryuk ransomware strain on Oct. 20. The company said, however, that there is no evidence any customer or company data has leaked or that there has been any damage to any customers’ systems that the company manages.