Western Digital hack: Attackers stole 10 terabytes, demand ransom

Sicherheit (Pexels, allgemeine Nutzung)[German]Hard drive manufacturer Western Digital had admitted to a cyber attack on its IT networks on April 3, 2023. Now the hackers responsible for this attack have probably revealed details to a US medium. Thus, 10 terabytes of data could be stolen. The hackers are demanding a hefty ransom sum.


The Western Digital hack

Hard drive manufacturer Western Digital admitted to a cyber attack on its IT networks on April 3, 2023. According to the announcement, an unauthorized person was probably able to gain access to the internal IT networks as early as March of this year. The whole thing was noticed on March 26, 2023, the company said in a message to the public. It said there that it was unclear whether data had been stolen. I had reported in the blog post Hard drive manufacturer Western Digital victim of cyber attack (March 2023).

German users are discussing here, that since the beginning of April 2023 can no longer access its MyCloud storage. However, this service is supposed to be working again since April 12, 2023, according to WD's status page.

  • Service Outage: 12 Apr 2023 RESOLVEDServices are back online and fully operational.
  • 07 Apr 2023 LOCAL ACCESS AVAILABLEProduct Owners of My Cloud Home, My Cloud Home Duo, and SanDisk ibi,

    We are currently experiencing a service interruption that is preventing files access and use of the applications provided for your product, including the mobile, desktop, and web apps. During this service interruption, you may now access files stored locally on your device using a feature called Local Access.

    The Local Access feature allows you to directly access your personal files from a Windows or MacOS computer that is connected to the same network as your device. To enable Local Access, use your favorite browser and connect to your device's Dashboard. Then enable the Local Access feature and create a new Local Access account. For more detailed instructions and walk-thru video, visit this knowledge base article.

German reader Markus, who had alerted me to the issue, confirms that he can access MyCloud again.

Hackers reveal details

One of the attackers must have contacted Techcrunch and revealed some details. It's an extortion plot, and the attackers who broke into Western Digital claim to have stolen around 10 terabytes of data from the company. Among them, they say, is a large amount of customer information. The extortionists are demanding a ransom of "at least an eight-figure sum" to keep the stolen data from being made public.

Western Digital hack


The above tweet points to the corresponding Techcrunch article Hackers claim vast access to Western Digital systems. Techcrunch reported, that the hacker has submitted a file that was digitally signed with Western Digital's code-signing certificate. Two security researchers who viewed the file confirmed that the attackers could sign files using the company's certificate.

The hackers also passed along phone numbers allegedly belonging to several company executives. TechCrunch called the numbers. Most of the calls rang, but answering machines jumped on. For two of the non-public phone numbers, the announcements included the names of the executives.

The screenshots shared by the hacker show a folder of a Box account apparently owned by Western Digital, an internal email, files stored in a PrivateArk instance (a cybersecurity product), and a screenshot of a group call in which one of the participants is identified as Western Digital's Chief Information Security Officer.

The attacker or attackers are purely concerned with ransomware. According to Techcrunch, the hacker claims to have written to several executives via (personal) email (the company's email system is currently unavailable), demanding a "one-time payment." But Western Digital can't actually be responding to the extortion – after all, the attackers have a lot of material (they even claim to have had access to WS SAP systems) and can continue to distribute that despite ransom payments. Techcrunch quotes the hacker as saying the following to WD:

We only need a one-time payment, and then we will leave your network and let you know about your weaknesses. No lasting harm has been done. But if there are any efforts to interfere with us, our systems, or anything else. We will strike back. We are still buried in your network and we will keep digging there until we find a payment from you. We can completely conceal this and make it all disappear. Before it is too late, let us do that. Until now, you have been gracious; Let's hope that you do not keep going the wrong way.

It seems that the attackers had access to Western Digital's "crown jewels" and the company or its products are now "kind of pretty burned". The hacker wants to publish the data on the Aplhv gang's Ransome page, although he claims not to be part of the group.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *