A US law firm and a Singapore telco caught up in the same data breach as the Reserve Bank have had stolen files leaked online by a ransomware gang.
A security expert says that means it's now possible that some of the RBNZ's stolen files - described by the banks as "sensitive" - could now also be leaked on to the internet in a bid to pressure the NZ central bank into paying a ransom.
In mid-December, Accellion FTA - a service for sharing large files - suffered a data breach. The Reserve bank, top US law firm Jones Day and Singapore's largest phone company, Singtel and some 47 others, including the Australian Securities and Investments Commission, had data stolen in the cyberheist.
A ransomware gang called Clop told the Wall Street Journal earlier this week that it was responsible for the attack.
A number of sensitive files from top US law firm Jones Day - recently in the news for dropping ex-president Donald Trump - were placed on the public internet earlier this week.
A security expert showed the Herald links and screen shots of the Jones Day data.
Today, it was Singtel's turn to be embarrassed as data for some of its customers was spilled onto the dark web by Clop, according to a Straits Times report.
$250,000 ransom demand
The paper says Clop is demanding the equivalent of S$250,000 in untraceable bitcoin for the return of Singtel's full data, the Times reports (the Singapore and Kiwi dollars are at parity).
The Reserve Bank refused to say if it had received a ransomware demand. Paying a real-life or cyber-ransom is legal, according to Auckland University legal academic Bill Hodge, but the practice is discouraged by police on the basis it encourages more crime and - in the case of data - there's no guarantee it will be returned.
Ransomware gangs typically make small amounts of data public in a bid to pressure a victim to pay millions for the return of the rest. That was the case with an attempt to blackmail F&P Appliances last year - although the whiteware maker refused to pay.
Clop has been behind a number of high-profile cyber-heists.
A ZDNet report says Clop has a history of combing through stolen documents, looking for details that can be used to blackmail top managers.
The gang has told the Wall Street Journal that it has some 100 gigabytes of files lifted from Accellion.
'Up for grabs'
Brett Callow, a threat assessment expert with security company Emisoft, told the Herald:
"If Clop was responsible for the attack on Accellion, it means that Clop may also be in the possession of data relating to RBNZ and the other Accellion customers.
"It also means that those organisations' data may end up being posted online, as Jones Day and Singel's data already has."
If Singtel had received a $250,000 ransom demand, it was likely other victims were being extorted too, Callow said - though the amount demanded could vary.
Callow added, "Another possibility is that Clop bought the data for the purpose of extorting Jones Day, or came to a revenue-sharing agreement with the group responsible for the attack on Accellion. That's no better though, as it would mean the data is up for grabs."
'Sensitive' RBNZ files stolen
The Reserve Bank has been asked for comment, and if it has received a ransomware demand.
Earlier the bank said it had identified "sensitive" files that had been exposed in the data breach, and that it was talking to the parties concerned. The RBNZ has not said what information was exposed, however, or who it belonged to. It's likely the Reserve Bank was using Accellion's FTA (File Transfer Appliance) to share files with retail banks and insurance companies.
Today, a spokesman said it was unlikely the RBNZ would ever say what files were stolen, citing security reasons.
Service being axed
In another development, Accellion has announced it will phase out its FTA file-sharing service by April 30 this year.
Earlier, Accellion said it had been urging clients to move off the 20-year-old FTA and onto its newer, more secure, four-year-old Kiteworks service.
The RBNZ was told to move to Kiteworks by its own chief information officer in a May 2020 report on its IT systems, which also included the general assessment that the RBNZ had "high operational risk due to technical obsolescence and an underinvestment in security across many of the core technology platforms".
He said, they said
On February 10, Reserve Bank Governor Adrian Orr challenged Accellion's claim that it released a patch to all customers within 72 hours of discovering the FTA vulnerability. Orr said it was five days.
Accellion refused to comment on Orr's timeline when approached by the Herald.
The most recent public statement by the company sticks with its claim of a fix being distributed within 72 hours of the initial breach, but adds the new information that attacks continued through December and into January.
"This initial incident was the beginning of a concerted cyberattack on the Accellion FTA product that continued into January 2021. Accellion identified additional exploits in the ensuing weeks and rapidly developed and released patches to close each vulnerability," the company says.
An Accellion spokesman would not comment this morning on reports of ransomware gang Clop's involvement or elaborate further on its timeline.
In the meantime, the RBNZ has gone on the front foot, expanded Orr's comments into its own timeline (below).
Callow says the only thing we can be sure of its that more attacks lie ahead.
"Data theft is becoming increasingly problematic. More than 1300 organisations had data stolen and published in 2020," the threat analyst told the Herald.
"The incidents affected organisations in all sectors - including healthcare, law enforcement, governments, defence - and resulted in extremely sensitive information being posted online."
Accellion data breach: the Reserve Bank's timeline
• In mid-December, Accellion FTA users in other countries started being attacked.
• Accellion released a patch to address the vulnerability on December 20, 2020, but failed to notify the bank it was available.
• Breach against the bank occurred on December 25, 2020, and a number of files were illegally downloaded.
• There was a period of five days from the patch on December 20 until December 25 when the breach occurred, during which the bank would have applied the patch if it had been notified it was available.
• In early January, the Reserve Bank patched and secured the Accellion FTA, became aware of the breach, and closed the system.
The bank says it is aware of shortcomings within its processes and systems. An independent review by KPMG is underway.