KrebsOnSecurity warned of Gunnebo’s security credentials’ sale months before. #Gunnebo CEO also declined to pay the ransom, claiming that the blueprints were not sensitive. #CyberSecurity.
Hackers stole and published online thousands of sensitive documents, including security blueprints of heavily guarded companies after a successful ransomware attack on a security firm.
Gunnebo Group is a Swedish company specializing in physical security systems for various organizations, including banks, casinos, government agencies, nuclear facilities, jewelry stores, tax agencies, among others.
It has more than 4,000 employees with operations in 25 countries and billions of revenues annually. The firm claimed to have foiled a cyber attack in August, weeks before suspected ransomware operators published the sensitive documents online.
Gunnebo Group’s ransomware attack timeline
In March 2020, KrebsOnSecurity alerted Swedish security giant Gunnebo Group that hackers had compromised its network and sold the authentication details to a ransomware gang. Hold Security, a Wisconsin cyber intelligence firm based in Milwaukee notified KrebsOnSecurity of the breach.
The sale involved the transfer of Remote Desktop Protocol (RDP) account credentials created by a Gunnebo employee to access the company’s systems remotely.
In August, Gunnebo disclosed that it had successfully thwarted a ransomware attack. The company said that the cyber attack had forced a shutdown of its servers to prevent the spread of ransomware across the network. Gunnebo assured the public that the impact of the ransomware attack was minimal.
However, Swedish media outlet, Dagens Nyheter, revealed that, in September, hackers published about 38,000 documents stolen from Gunnebo.
The ransomware attack timeline, and the release of the company’s security blueprints, suggest that the gang had exfiltrated data before Gunnebo responded. Conversely, they could have maintained persistence on Gunnebo’s servers, contrary to the company’s claims.
Gunnebo Group downplayed the risk of leaked security blueprints
KrebsOnSecurity tried to contact Gunnebo through Twitter and received a reply from Rasmus Jansson, an account manager at the company.
Jansson told KrebsOnSecurity that he notified Gunnebo of the incident but was unaware of the action taken to mitigate the threat. Jansson also quit the company at the time of the ransomware attack, according to the latest telephone conversation. It’s unclear if his exit was related to either the ransomware attack or the leakage of the security blueprints.
An unknown number of people had gained access to Gunnebo’s security blueprints, according to Linus Larsson, Nyheter’s journalist, who reported the incident. Larsson added that Gunnebo CEO Stefan Syrén had downplayed the severity of the breach.
The journalist disclosed that Syrén considered the exposure of security blueprints as a minor risk. In addition, the CEO also declined to pay ransom to recover the stolen security blueprints.
“I understand that you can see drawings as sensitive, but we do not consider them as sensitive automatically,” the CEO was quoted saying. “When it comes to cameras in a public environment, for example, half the point is that they should be visible, therefore, a drawing with camera placements in itself is not very sensitive.”
Having a security company leak its clients’ security blueprints is very concerning. Although the company deals with the physical security of its clients, overlooking information security could defeat the purpose of physical access control systems.
Unfortunately, many security companies entrusted with providing security for their clients cannot protect themselves.
Commenting on Gunnebo’s ransomware attack, Ben Goodman, SVP, Global Business and Corporate Development at ForgeRock, says:
“This breach was the result of an easily-guessed password (password01) and lack in company network security, which ultimately allowed the hackers to enter the system and steal documents. This type of breach happens all too often. In fact, 40% of all data breaches are due to unauthorized access by cybercriminals, according to the ForgeRock 2020 Consumer Identity Breach Report. Employing a weak password as the only authentication method gives attackers the easy access they need to hack into a system from any location, at any time.”
Goodman advises companies to be more proactive towards cybersecurity and recommends the use of advanced authentication methods such as biometrics.
Craig Young, a computer security researcher for Tripwire’s vulnerability and exposure research team (VERT), says that cybercriminals have diversified their methods of exploiting businesses.
“Groups like REvil and Maze have been wildly successful at monetizing data exfiltrated from their victims. These groups, which initially operated only by locking people out of their files have found that it can be even more lucrative to extort a ransom in exchange for not publishing leaked data. In some cases, the groups claim to have organized sales to interested third parties when the original data owners refused to pay.”
