Hacker working on laptop showing ransomware attack and employee data theft

Vice Society Leaks CommScope’s Employee Data Stolen During Ransomware Attack

Hackers have published sensitive employee data stolen during the CommScope ransomware attack.

CommScope told TechCrunch it discovered “unauthorized access to a portion of our IT infrastructure that we determined was the result of a ransomware incident.”

Located in Hickory, North Carolina, CommScope manufactures network infrastructure equipment and employs more than 30,000 workers. Customers include hospitals, schools and U.S. federal agencies.

CommScope ransomware attack leaked extensive employee data

The Vice Society ransomware group listed the network infrastructure giant on its data leak site and included a link to the stolen employee data.

Data leaked included internal documents, technical drawings, and employee data containing extensive personal information. The leaked employee data included full names, email addresses, postal addresses, scans of passports and visas, and social security numbers and bank account details. Some employee data was unencrypted, giving hackers enough information to craft compelling phishing attacks.

CommScope said it launched a forensic investigation assisted by a leading cybersecurity firm and notified law enforcement authorities about the incident.

However, the network infrastructure giant has yet to confirm if its internal documents and employee data were leaked on the dark web as reported.

“We are working with our third-party experts to validate those claims and to understand the nature of the information at issue as a top priority,” the company’s spokesperson said. “We are undergoing a thorough review of any impacted data with all possible speed.”

It remains unclear exactly how many employees were impacted and whether CommScope has notified them.

Some leaked data contained customer emails suggesting the threat actor accessed the internal systems and the CommScope customer portal. However, CommScope says it has no evidence that the ransomware attack leaked customer data but promised to notify them if the investigation proved otherwise.

The network infrastructure manufacturer has not disclosed how the threat actor breached its network and whether the group made any ransom demands.

Commenting on the CommScope ransomware attack, Dr. Ilia Kolochenko, the founder of ImmuniWeb, encouraged ransomware attack victims to pay up to protect their private information but warned that “public exposure of stolen data is possible in both cases.”

“Usually, paying a ransom – though being discouraged by law enforcement and potentially triggering legal ramifications in some jurisdictions – provides better chances to keep your compromised data private,” noted Kolochenko. “In case of ransomware incidents, it may be a wise approach to negotiate with attackers as long as reasonably possible, while actively minimizing the impact of possible disclosure of stolen data.”

Vice Society diversifying target sectors

In September 2022, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the MultiState Information Sharing and Analysis Center (MS-ISAC) published a joint cybersecurity advisory about Vice Society targeting education institutions.

Vice Society was responsible for the Los Angeles Unified School District (LAUSD) ransomware attack that leaked 500 gigabytes of sensitive data. Vice Society also listed Berkeley County Schools, Eclog International Schools, Lakeland Community College, and Lewis & Clark College on its data leak site.

While Vice Society typically targets healthcare and educational institutions, it has diversified its victim pool to include critical infrastructure organizations.

In 2022, the ransomware group compromised San Francisco’s Bay Area’s rapid transport (BART) system and Puerto Rico’s water supply system.

In January 2023, Trend Micro warned that Vice Society was targeting the manufacturing sector using stolen credentials purchased from underground hacking forums. Trend Micro also warned that the hacking group was transforming into a ransomware-as-a-service (RaaS) to expand its operations.

“The ransomware attack on CommScope demonstrates the distinct value of identities in an organization,” said Lior Yaari, CEO and co-founder of Grip Security. “Implicated in this attack, the Vice Society ransomware gang posted stolen identity information — not for customers, partners or other transactional data.”