The LockBit gang has taken advantage of credentials accessed during the Accenture cyberattack to go after the consulting giant’s customers, the ransomware group told BleepingComputer.
The ransomware-as-a-service (RaaS) operator said they’ve compromised an airport that was using Accenture software and encrypted its systems, BleepingComputer reported Wednesday. LockBit, however, declined to name specific organisations that were breached via Accenture, according to BleepingComputer.
In a statement to CRN US, Accenture pushed back on LockBit’s claims.
“We have completed a thorough forensic review of documents on the attacked Accenture systems. This claim is false,” Accenture told CRN Wednesday afternoon. “As we have stated, there was no impact on Accenture’s operations, or on our client’s systems. As soon as we detected the presence of this threat actor, we isolated the affected servers.”
Following the Accenture ransomware attack - which was publicly revealed Aug. 11 - LockBit said they had collected sufficient data to breach some clients of the Ireland-based company. LockBit demanded a $50 million ransom payment to stop the leak of six terabytes of data they had allegedly stolen from Accenture, BleepingComputer reported.
Since compromising Accenture, LockBit claims to have encrypted the systems and published stolen data from Bangkok Airways and Ethiopian Airlines. It’s unclear whether Bangkok and Ethiopian are customers of Accenture, and neither of the airlines immediately responded to CRN requests for comment.
LockBit on Saturday said it leaked over 200 gigabytes of data belonging to Bangkok Airways, according to BleepingComputer. The Thai airliner said Thursday that hackers might have accessed personal data such as full names, nationality, gender, phone number, email and physical addresses, passport information, historical travel information, partial credit card information, and special meal information.
Bangkok Airways said the attack didn’t affect its operational or aeronautical security systems, according to a company statement. In the case of Ethiopian Airlines, LockBit said on its dark web leak site August 23 that it had published data stolen from the airline.
However, the LockBit operators haven’t actually published any data from Ethiopian Airlines or Accenture despite their website indicating that they’ve done exactly that, Emsisoft threat analyst Brett Callow told CRN US.
It can take weeks for forensic investigators to work out what happened during an attack, and ransomware gangs like LockBit like to use that uncertainty to their advantage, according to Callow.
In the case of Bangkok Airways, Callow said LockBit uploaded data to New Zealand-based cloud storage and communication platform MEGA, but an attempt to click on a link prompts a pop-up stating, “This link is unavailable as the user’s account has been closed for gross violation of MEGA’s Terms of Service.”
“What’s going on isn’t clear,” Callow told CRN US in an email. “It could be the case that minimal or no data at all was exfiltrated in the incidents and LockBit’s claims are simply a bluff … Companies dealing with incidents are dealing with untrustworthy bad faith actors – or, as an industry colleague likes to say, lying bastards – and [should] treat any and all of their claims with scepticism.”
LockBit has a history of posting names of companies it claims are ransomware victims on its own leak site and then dropping them from the site without explanation, Tom Hofmann, Flashpoint’s SVP of intelligence, told The Daily Beast last month. At least some of the company names listed aren’t actually victims at all, which could indicate it’s a ploy to get concerned companies to pay under false pretences.
“I know of one particular ‘victim’ who contacted us to definitely state they were not a victim,” Hofmann told The Daily Beast. “We have been contacted by some companies named on these victim sites that claim they have never been victimized.”
VX-Underground, which claims to have the internet’s largest collection of malware source code, said that the LockBit ransomware group released 2,384 Accenture files for a brief time August 11.
Richard Blech, CEO and founder of US-based encryption technology firm XSOC Corp., told CRN US last month he fully expects more will still come out about the scope and severity of the attack on Accenture.
“More details will be forthcoming over the coming weeks and months, and it’s almost certainly going to be worse than is stated now,” Blech told CRN US on August 13. “With what they handle and who they deal with [at Accenture], I think it’s going to be quite serious. It’s just too much information. This was a big compromise. They can minimize it all they want, but that’s an awful lot of files.”
Stolen credentials are often used by adversaries to expand their access into additional organisations, with the Russian foreign intelligence service (SVR) in May using a government agency’s Constant Contact account credentials in a phishing campaign that led to the breach of 3,000 email accounts across 150 organisations. The emails included a malicious backdoor that was distributed if recipients clicked a link.