[German]Customers of Danish cloud provider CloudNordic have successfully learned what it means to share responsibility. The provider had a ransomware infection when moving to a new data center, so the cloud offering was completely knocked out for the clientele. The provider had to inform customers that all servers and customer data had been wiped. In addition, CloudNordic informed that it does not want to and cannot pay the ransom demand of the cybercriminals. If you don't have a backup, it's now "time to call it quits" and everything has to be restarted manually.
Advertising
Cloud hack deletes everything
Cloud provider CloudNordic has posted a notification to its customers on its (hard to reach) website. I came across the information about this cyber incident at The Register. Here is the rough translation:
Unfortunately, CloudNordic fell victim to a ransomware attack on the night of Friday, August 18, 2023 at 4am, where criminal hackers shut down all systems. Websites, email systems, customer systems, our customers' websites, etc. Just everything. An intrusion that completely crippled CloudNordic and hit our customers hard too.
Since we cannot and will not meet the criminal hackers' financial demands for ransom, CloudNordic's IT team and external experts have been working hard to get an overview of the damage and what could be recovered.
Unfortunately, it has proven impossible to recover any more data, and most of our customers have lost all of their data with us. This applies to everyone we have not yet contacted.
The hacker attack was reported to the police, but the total loss occurred for the customers and the cloud provider. The company is very concerned about the situation and also knows that the attack is also very critical for many of our customers. This is because not only data, but also all CloudNordic systems and servers were lost and could no longer communicate.
Although the provider's IT people have now restored the empty systems, such as name servers (without data), web servers (without data) and mail servers (without data). This will allow customers to set up the relevant functions again so that websites and mail servers will work again for customers without having to move domains to another provider.
However, for those who do not have a backup, the whole thing will probably be difficult – depending on the company, this could even threaten their existence. The company also provides information on how customers can organize a domain transfer or restore web content that is not backed up via a web archive.
How could this happen?
The question that immediately got to me: How were the attackers able to penetrate the cloud infrastructure? Here, the devil is probably in the details, because the cybergang took advantage of the phase of moving the servers to another data center. CloudNordic writes about this:
Advertising
To our knowledge, when servers were moved from one data center to another, and despite the fact that the machines being moved were protected by both a firewall and an antivirus program, some of the machines were infected with an infection before the move. These infections were not actively used in the previous data center, and we had no knowledge of the infection.
During the move of servers from one data center to another, servers that were previously on separate networks were unfortunately wired to access our internal network, which is used to manage all of our servers.
Through the internal network, the attackers gained access to the central management systems and the backup systems. Through the backup system, the attackers managed to gain access to:
- All storage (data)
- Backup system for replication
- Secondary backup system
The attackers managed to encrypt all server disks as well as the primary and secondary backup system, so all machines crashed and we lost access to all data.
The attack encrypted all virtual machine disks, so it was definitely "finish" However, NordicCloud investigators did not find any signs of data misuse. It could not be determined that the attackers had access to the data content of the virtual machines themselves. The attackers' accesses related exclusively to the management systems from which they were able to encrypt the entire disks in each case. Very large amounts of data were encrypted, although NordicCloud found no evidence of any attempt to copy out large amounts of data.
For the customers, it is a "black eye", there is then probably no GDPR violation to report. But if the entire server infrastructure of the cloud crashes, that's the end of the story. Good for those who have understood the "shared responsibility" between customer and cloud provider and at least have their own current backups of the content. This could be quickly restored and the customer would then be able to work again. If these backups are missing, things look bleak.
Advertising
