[German]In August 2022, a ransomware attack on the automotive supplier Continental took place in which significant amounts of data were extradicted. The Lockbit ransomware gang was responsible, threatening to publish the siphoned data following the attack. But how did the attackers get initially into Continental's IT network? Usually, that remains a secret of the victims. At least it has now become known that the attack originated with an employee's browser download.
Advertising
What was known so far
According to a press release from the international automotive supplier Continental dated August 24, 2022, there was a cyber attack at the beginning of August 2022. In the process, the attackers penetrated parts of Continental's IT systems. In the press release, the company still claimed to have detected and repelled the attack.
It said that Continental's business operations had not been affected at any time and that it retained full control over its IT systems. According to the information available at the time, the IT systems of third parties were not affected. But support from external cybersecurity experts was brought in to investigate the incident. I had reported in the German blog post Cyberangriff auf Continental und Richard Wolf Medizintechnik.
German site Handelsblatt reported that the company had fallen victim to the Lockbit group, which siphoned off up to 40 TBytes of data in the attack and threatened to publish it if payment was not made. In the German blog post LockBit 3.0 Angriff auf Continental – Hinweise von Blackberry I had given some more details about this cyber attack. In Continental's case, Lockbit 3.0 was used. It is a Ransomware as a Service (RaaS) group that has gone through multiple modifications of it's malware, from the development of the original version to the current version 3.0. The latest version includes parts of features from previous ransomware families such as BlackMatter and DarkSide or BlackCat.
The group's goal is to threaten companies with the publication of extradicted data, citing the GDPR. There is a new statement (German) from Continental, dated December 12, 2022, where the company admitted that "despite established security measures, the attackers were also able to steal a subset of data from affected IT systems."
They state, that the attack was noticed on August 4, 2022, and countermeasures were in place. On Aug. 5, Continental said, no more attacker activity was noticed – which probably means no more data was siphoned off. But Lockbit has been in the system, and had successfully completed at least part of the data extraction. Continental states that no data was encrypted, but the initial access occurred on July 1, 2022. So the attackers have had access on the system for around for four weeks.
Advertising
Continental confirms a contact by the Lockbit group for mid-September 2022, but the company aborted it. The cyber attackers offered to delete or sell the data for $50 million on the darknet on Nov. 9, 2022. This was reduced to $40 million on Nov. 29, 2022. The attacker published a list of the data on November 10, 2022, they claimed to have extradicted. The amount of data siphoned off is estimated at 40 TBytes by Continental.
But how did the infection take place?
The intriguing question for outside observers in such incidents is how the attackers were able to get into the system? Continental writes in its German statement that initial findings suggest that the attackers gained access to Continental's systems by means of disguised malware executed by an employee. Was it an infected Word document? A phishing mail in which access data was ripped off, or something else?
German media Handelsblatt reported here (access restricted), that the group's IT security chief, Dirk Ahrens, described in an internal webcast how the attackers got their foot into the IT system. Continental's employees can view the video, published in the "Ask the Expert" series by Dirk Ahrens (and Steffen Brinkmann from HR), on the intranet. This is probably part of the sensitization of employees with regard to IT risks and processing of the current incident.
German media heise has prepared this article on the basis of the Handesblatt article. It was claimed within the video mentioned above, that a Continental employee downloaded an (unauthorized) browser from the Internet and then executed it. Why the employee was able to run the browser download is not clear from the reports (it may have been a portable version or something from the Microsoft Store that can be launched with normal user rights). The cybercriminals were probably able to access the login data (password for a user account at Continental) via this browser.
Once in possession of the user data, the LockBit group was able to log in to the employee's user account and then gradually obtain further access data. In the process, the attackers probably obtained access data for more important user accounts. All in all, the attackers were in the company's IT network for over four weeks using the captured access data. In the attac over 40 terabytes of data were then siphoned off. However, the analysis of the incident has not yet revealed any pattern for the accesses and the data outflow.
From the heise article, I gather that the company still doesn't know exactly what data was actually leaked. They are analyzing and looking to see if potentially critical data was accessed – given the long period of 4 weeks and the over 40 terabytes of data that was stolen, this will take a while. Internally, crisis teams of the company are probably still meeting to work through the incident. The incident shows that the devil is in the details and that a trick to steal the access data was enough to set this fatal chain in motion.
Continental AG, or Conti, is a listed German automotive supplier headquartered in Hanover. Its annual sales totaled €37.72 billion in 2020. The AG has 190,000 employees worldwide.
