Panasonic India's Data Released in Extortion PlotExperts Say Attack is Textbook Example of Hack and Extort Campaign
In mid-October, a new post, written in Russian, appeared on a cybercriminal forum. It advertised network access to a large electronics manufacturer, including backups of corporate email and gigabytes of data.
The post warned that, if the unnamed company did not pay a $500,000 ransom within seven days, the data would be publicly released. It also said that a ransom note had been sent to the company's corporate email addresses. The post also offered the data and access to the company's network to anyone willing to pay $40,000 in the virtual currency bitcoin.
"The company is a shareholder and manufacturer of home electronics and electrical equipment," the forum post said. "At least every five people know this company."
On Nov. 3, the attackers released a 4GB data archive that belongs to Panasonic India. The data is an extensive trove of sensitive material, including outstanding account balances with suppliers, bank account numbers, accounting spreadsheets, lists of passwords for sensitive software systems, email addresses and more.
What happened to Panasonic India is a textbook case of the increasingly hostile cybersecurity environment companies are facing. Once attackers gain access to systems, several plays are possible, including quietly stealing intellectual property, selling the illicit access to other fraudsters and extorting the company or installing file-encrypting ransomware. In some cases, attackers do all of that.
Panasonic India acknowledged Thursday in a statement provided to Information Security Media Group that it's aware of the data dump.
"No highly confidential information, such as personal information of customers or suppliers, were revealed," says Ying Han, a spokeswoman with Panasonic's Global Communications Office in Japan. "The security of the Indian subsidiary has been bolstered. We are also confirming and reinforcing the information security countermeasures in related companies across the globe."
Hacker's Apparent Activities
The Los Angeles-based security company Resecurity has been communicating with the person who claims to have compromised and tried to sell Panasonic India's data. Resecurity's Hunter Unit specializes in striking up conversations with attackers via instant messaging and dark web forums, gaining intelligence on their methods and motives.
The apparent attacker speaks Russian and is highly technical, say Gene Yoo, Resecurity's CEO. Typically, after the attacker compromises a company, he tries to extort it, Yoo says, and the larger the company, the higher the ransom. If direct extortion fails, the attacker sells the access to other criminals, who mount a ransomware attack, Yoo says.
Yoo says this attacker claimed responsibility for breaching Foxconn and its subsidiaries, which Bleeping Computer reports were hit by a ransomware attack around Nov. 29. The attackers were demanding about $34 million, payable in bitcoin.
After gaining access to Foxconn, the attacker then sold that access to other actors, who installed file-encrypting ransomware, Yoo says. Prices the hacker charges for access to an organization's network range from $1,000 to $10,000, depending on how permissive the access is, he adds.
"Unfortunately, we see more and more actors establishing close operations with ransomware groups by becoming their affiliates," Yoo says.
Panasonic India said it would not answer further questions about the ransom attempt. It's unclear how the attacker breached Panasonic India's systems, but the attacker claimed he had administrator access to two of the company's internal domains. That likely means access to Active Directory. Active Directory is Microsoft's software that brokers access to user accounts and applications (see: Why Hackers Abuse Active Directory). It is highly valuable to attackers because it can allow access to other systems connected to it.
An examination of the data released suggests that Panasonic India may have underplayed the breach's significance and the risk the exposed data poses, says Alex Holden, CISO at Hold Security, a Milwaukee-based security consultancy. He has examined the data and says its release is "very significant."
"From a general perspective, it looks bad," Holden says. "There are not only passwords, but records of customers, providers and vendors, and there is also information about employees."
One spreadsheet contains a list of 58 subcontractors and former subcontractors for Panasonic India. The spreadsheets contains the bank used by the contractor, the type of account they have with the bank and their account numbers.
Another exposed PDF created in August 2017 contains a list of 197 suppliers, mostly based in India, but also Singapore, Malaysia, Hong Kong, Thailand and Japan, Holden says. The list contains the names of contact points for those suppliers, their email addresses and phone numbers.
Yet another document, which is marked in red as "Strictly Confidential Report" and dated March 31, 2020, contains outstanding account balances from companies such as fastener suppliers, plastics manufacturers and suppliers of springs and adhesives, among many others.
The data released would be useful for business email compromise exploits, the catch-all term for a variety of scams that seek to get companies to pay fraudulent invoices, Yoo says. If companies pay into a wrong account, the money can be difficult to recover (see: FBI: BEC Losses Totaled $1.7 Billion in 2019).
What's particularly interesting about this breach is that the attacker grouped the most sensitive documents into folders that say "Panasonic India" in Russian, Holden says. Often, attackers merely dump what they've stolen from systems.
"There is definitely evidence of the bad guys sorting the data to make it more presentable," Holden says.
One folder contains spreadsheets of passwords. A spreadsheet contains the usernames and passwords for what's labeled "Google Corporate email," "Remote Admin," "Office McAfee," "CC TV - office," "ERP Production" and more.
"These are critical components," Holden says. "They put them in an insecure place."
Also leaked was Panasonic India's internal advice on how to create unique passwords. A screenshot from around 2013 warns Panasonic employees about creating passwords such as "123."
But some of the password spreadsheets contain those that were sequences of numbers and other simple passwords. Computer security experts advise that passwords should be complex to prevent the chance of attackers guessing one. Also, complex passwords are more resistant to password cracking attempts.
Holden says Panasonic India has distributed the right advice about passwords internally, but apparently may have not taken its own advice. Also, passwords shouldn't be stored unencrypted across different systems in spreadsheets.
"I can tell you based on what I've seen from this dump, the concept of security is there, but the practice is not to the degree of what is needed," he says.
Yoo says it's clear that Panasonic India stored lots of unencrypted data, which is problematic. Encrypting emails and files would have made them useless to the attackers without the decryption keys.
Whether the breach of Panasonic's India subsidiary posed a breach to the entire Panasonic corporation is difficult to assess, Yoo says. He says it's challenging for large companies with subsidiaries to control all aspects of security.
And that's what poses opportunities for attackers. "Sometimes those branches could be used as points of compromise into the [broader] infrastructure, to target employees, sensitive files and so on," Yoo says.