The LockBit ransomware gang is claiming a very serious attack against Canadian government contractors that involves 1.5TB of stolen documents dating as far back as 1999. A third party data breach of two relocation services providers may have exposed the passports, financial information and other personal information of government employees from an assortment of agencies and branches.
The government has confirmed that Brookfield Global Relocation Services (BGRS) and SIRVA Worldwide Relocation & Moving Services were breached in September and October, and though it has yet to confirm the extent of the stolen data it is already re-issuing passports and providing credit monitoring to government employees that may be impacted. The breach is thought to impact members of the Canadian Armed Forces, the Royal Canadian Mounted Police (RCMP) and Government of Canada employees that have used these relocation services since 1999.
Canadian government employees brace for dark web data dump
The government has not yet attributed an attacker, but LockBit has already taken to the dark web to claim responsibility. The ransomware group claimed that it stole over 1.5TB of documents and has already been through failed negotiations with SIRVA, whom they say would only pay a ransom of $1 million. The hackers appeared to initially demand a ransom of $15 million but dropped the price to $7.5 million before ending negotiations.
It’s also not clear how many government employees are impacted by the third party data breach, but any that have used BGRS or SIRVA since 1999 may have had personal data exposed. There is not yet a confirmation that any login data has been exposed, but the Canadian Centre for Cyber Security is advising anyone that may be using shared or recycled login information relating to these systems to change passwords and enable MFA where possible as a precaution.
The two relocation firms began a merger in August 2022, which may explain why both were involved in the third party data breach. BGRS was reportedly breached first in September, something that the government issued a prior warning about on October 20 (though that message only suggested that government employees take precautionary measures). LockBit says that it negotiated with SIRVA from October 6 to the 19th, cutting off talks when that public notice of the breach was made. The group also says that SIRVA initially offered $500,000 for return of the government employees data and would go no higher than an offer of $1 million.
LockBit claims to have dumped the stolen data via their dark web portal as of November 20. The information is being investigated, but BGRS has said on its website that it processes relocation information of about 20,000 Canadian government employees each year. The information stolen in the third party data breach may date back as far as 1999 for those that used BGRS, but SIRVA did not begin contracting with the government until 2009. As BGRS was not directly mentioned by LockBit, it remains unclear if the dumped data is strictly from SIRVA or if it is mixed.
In terms of diagnosing the origin of the third party data breach, BGRS has also said that it has some 8,000 suppliers, though there is not yet any indication of any of them being involved. In the interim, Sean McNee (VP of Research and Data, DomainTools) adds some advice for Canadian government employees that may be waiting for more information: “We applaud the Canadian government here for the transparency, decisiveness, and speed with which they reported this event as well as the actions they are taking to support their affected citizens. We advise all Canadian citizens who were impacted to take reasonable precautions with their online data: replace any documentation that the government advises, monitor your credit reports for any suspicious or fraudulent activities, ensure you have strong and unique passwords to critical online accounts, and enable multi-factor authentication when possible. Given the nature of the data which LockBit stole, we also suggest citizens consider changing the answers to any security or account recovery questions they have to critical online accounts, as the “correct” answers to such questions, like, “What street did you live on in 2005?”, could be contained in the leaked information.”
Third party data breaches continue to haunt relatively secure organizations
The nature of the information that was stolen is worrisome to any government employees that are potentially impacted, but the most concerning single aspect of the third party data breach may be that these contractors handle moves for overseas military deployments. That not only potentially provides hostile nations with information about current troop positioning, but also a long history of movements.
LockBit is now potentially the biggest ransomware gang in the world, jousting with BlackCat/AlphV and Cl0p for the top spot. And, like other top ransomware outfits, it is now starting to drop the ransomware from some attacks. If what is stolen is sensitive and damaging enough, data extortion alone is now commanding the same sorts of payment amounts. On October 1, the group publicly declared that it will negotiate down to no less than 50% of its original payment demand.
And like other groups, LockBit often finds the best path into a more secure organization is a third party data breach of a vendor. It has previously used this method to breach Taiwan Semiconductor Manufacturing Company by way of an IT vendor, the UK’s Ministry of Defence through a metal fencing provider, and SpaceX via a laser cutting outfit, just to name a few of the bigger examples.
Jason Keirstead, VP Collective Threat Defense for Cyware, believes that the only path forward in addressing third party data breaches is closer cybersecurity collaboration: “Breaches that involve third-party subcontractors are increasingly one of the most challenging issues to manage on an organization’s risk register. One way an organization can reduce their own risk is by leveraging their capabilities to help protect their suppliers – for example by sharing both threat intelligence and defense information downstream with their supply chain.”
Almog Apirion, CEO & Co-Founder of Cyolo, believes that vendors have to be viewed as a potential threat given the nature of the risk: “To safeguard sensitive internal, external, third-party, customer and even government partner’s user data, businesses must address all third-party entities as a high-risk to the organization – limiting access and external users’ ability to roam the network. Identity enforcement measures, such as MFA, are crucial to enabling secure third-party access, as these zero-trust capabilities support institutions in gaining visibility and control over their systems. Administrations and government departments across the world can be better equipped to mitigate these threats that can affect directly to the well being of their employees as they arise, and protect critical systems, assets and above all, people’s information.”