Coca-Cola billboard in city showing data theft by ransomware group

Ransomware Group’s Claim of Data Theft Being Investigated by Coca-Cola

A ransomware group called Stormrous is claiming that it stole 161 gigabytes of data from Coca-Cola, including login credentials and financial data. Coca-Cola has yet to confirm the data theft, but says that it has initiated an “urgent investigation.”

Coca-Cola may have been picked by internet poll for data theft

Stormous, a relatively new ransomware group that has yet to establish much of a reputation, has placed a listing on Telegram offering the data for the price of 1.6 bitcoin (about $64,000). It claims that data from commercial accounts is included in the bundle, along with unspecified financial data and internal usernames/passwords. It is unknown if there have been any takers as of yet.

The data theft came about via an unusual circumstance, as the ransomware group posted a poll on its Telegram for its followers. It offered a choice of four targets in addition to Coca-Cola: Mattel, science and tech conglomerate Danaher, education tech firm Blackboard and General Electric’s airplane engine provider GE Aviation. A little over 100 users voted in the poll, and Coca-Cola ran away with it with 72% of the vote.

Coca-Cola has said that it has opened its own “urgent” internal investigation and is in contact with law enforcement.

Ransomware group has ties to Russia, but speaks Arabic and has little reputation

Stormous has previously expressed support for Russia in its invasion of Ukraine, but security researchers have found that most of its communications are in Arabic. Wherever it might be located, the group has announced its intention to focus on American companies and seems to have some sort of generalized beef with the West.

Coca-Cola drew some criticism from supporters of Russia for being among the first wave of Western companies to withdraw their business from the country in the early days of the Ukraine invasion. Coca-Cola projects that the protest move will cost it about 1 to 2% of its annual profit for 2022, but has also committed to providing $15 billion in aid to the Red Cross and other organizations working to aid Ukrainian refugees.

Stormous only appeared several months ago, and while the group has claimed some major data thefts it remains unclear what it has actually done thus far. The group referenced carrying out an “operation for the Ukrainian government” involving an airline company in the country, but it is unclear exactly what it was referring to.

The ransomware group’s reputation is almost entirely based on a claimed breach of Epic Games in early March of this year. Stormous claimed a data theft of over 200 gigabytes that included the source code of games, but neither Epic nor independent sources have yet verified that the breach was legitimate. At the very least Epic does not seem to believe that user logins were compromised as it has not issued any notification of a breach to customers nor required them to change their passwords.

Stormous also advertises itself as a ransomware group, yet it has not been linked to any incidences of deploying ransomware on a target computer. If it is actually doing anything, the group appears to simply exfiltrate files and then sell them via underground markets.

The ransomware group has allegedly leaked the data of previous victims via its Telegram channel, but an investigation by security firms SOCRadar and ZeroFox noted that every company it claimed to have breached had experienced data theft by another actor in a prior incident. It is possible that the ransomware group has simply published data that it acquired from breaches conducted by other threat actors.

It is possible that the group’s poll for its Telegram followers listed four companies that it had identified vulnerabilities in that it was confident it could exploit. However, it makes little sense for the group to provide a warning to those entities in that way; it had already appeared on the radar of threat researchers given its prior data dumps and its proclamation of  support for Russia, so it would be safe to assume that it was being monitored by someone.

That, combined with its seemingly unverifiable history of actually breaching even one specific company, leaves one to wonder if there was any sort of data theft at Coca-Cola at all. If any verifiable data has appeared in what was listed for sale, it is possible that it came from a prior incident. In early 2021 Coca-Cola had an engineer go rogue and steal trade secrets by taking photographs of sensitive documents, something that was only discovered when she gained employment with another company and got caught there trying to do the same thing. In 2017, the company had another rogue employee steal a flash drive containing the personal information of about 8,000 employees. This was also not discovered until long after the incident occurred, giving the information time to proliferate. And in 2009, the soda giant was reportedly breached by Chinese hackers as it was in the process of acquiring Huiyuan Juice Group, an incident that revealed the company had an internal policy of concealing data theft from the public.

Nevertheless, breaches of this nature have become far from uncommon. Neil Jones, director of cybersecurity evangelism for Egnyte, has some parting advice for organizations in a similar position: “The alleged data breach of 161 GB of Coca-Cola’s data by Stormous demonstrates that even potential breaches can impact an organization’s brand reputation and necessitate formal media responses by the company. Although details of the incident are still emerging, an effective incident response plan needs to account for potential attacks that originate from financially-motivated cyber-attackers, disgruntled insiders and even competitors who are trying to gain an edge in a critical market.”