The Société de transport de l’Outaouais (STO) has finally admitted that hackers are in possession of information from some of its users.
However, he assured that it was not sensitive information.
Potentially, the perpetrators were able to access customers’ names and addresses, and possibly also, in some cases, their date of birth, phone number, and email address.
This admission comes more than three weeks after a severe ransomware-type cyberattack targeting the common carrier. The attack took place in the middle of the night on September 4.
The STO, which has been singled out for its lack of transparency since the beginning of this crisis, held a first press conference to take stock on Monday afternoon, while services such as Planibus remain paralyzed since the cyberattack.
“Had system encryption [NDLR: attaque sévère] and an exfiltration of data, admitted the general manager of the STO, Patrick Leclerc. It is as if the attacker has put a lock on our systems to prevent us from using them. Backup systems were also affected. “
After the STO refused to pay the required ransom, the cyber attackers posted exfiltrated files on the underground Internet (“dark web”), Mr. Leclerc added.
The carrier refuses to identify the name of the criminal group involved, but last week a group called AvosLocker announced the attack on its website hosted on the “dark web.”
Contacted by email, the AvosLocker group responded that it has around 115 GB of data “in its possession and that it is mainly” databases. “The representative of the criminal group says that most of the data” will be made public “if the STO is not cooperating, saying that the affiliate responsible for the attack “received offers” to buy some of the data, without specifying the nature of the data.
STO management contends that it has no evidence that personnel files were compromised, except for seven employees. The carrier offered them support in case of identity theft.
KPMG’s IT security experts work with the STO to analyze the damage.
As for the ransom demanded, the carrier refuses to reveal the amount.
“The STO makes an informed decision not to advertise the offenders,” stated STO President Myriam Nadeau.
AvosLocker is a ransomware service provider. Work with “affiliates”. They are the ones who will infiltrate networks and deploy malware, and who have the last word on the public disclosure of stolen data.
Allan Liska, a cyber threat analyst at Recorded Future, says the group first appeared last June. It then sought to recruit hackers, adding that “they have not yet succeeded in attracting a large number of affiliates.”
His first victim was announced in July. Since then, they have posted 22 organizations on their site.
The analyst explains that these groups always claim to have buyers. “You have to remember that these are fucking liars,” he laughs. He also points out that since they are not French speakers, they are not always aware of the value of the data they steal.
While operating underground, AvosLocker keeps its location a secret, but there are indications that it is somewhere in Russia or one of the neighboring countries. For example, on your “dark web” site, it is mentioned that you do not target companies located in this area.