[German]Hackers have managed to penetrate the IT network of the Swedish security company Gunnebo Groups and capture data. This data has now probably been published in underground forums.
TheGunnebo Group is a Swedish company based in Gothenburg that specializes in security products, services and solutions, primarily in cash management, access control, secure storage and integrated security. Customers of the multinational company, which provides physical security to a wide range of customers worldwide, include banks, government agencies, airports, casinos, jewelry stores, tax authorities and even nuclear power plants. The Gunnebo Group operates in 25 countries with around 4,400 employees (as of January 2019) and reported global sales of SEK 4,900 million in 2017.
(Source: Pexels Markus Spiske CC0 Lizence)
Brian Krebs writes on Krebs on Security, that he alerted the Gunnebo Group in March 2020 that hackers had penetrated their IT network. Access to the network was sold by the hackers to a criminal group specializing in ransomware distribution. The Milwaukee, Wisconsin-based cyber intelligence service Hold Security had stumbled upon the cyber criminals' financial transaction and informed Krebs. Specifically, the transaction included credentials for a Remote Desktop Protocol (RDP) account that was apparently set up by a Gunnebo Group employee to remotely access the company's internal network.
On August 25, 2020, the Gunnebo Group reported that a ransomware attack on the internal network had occurred. The servers were immediately shut down to isolate the attack. Because of the rapid intervention, the operational impact, according to the company, was minimal and operations were quickly resumed. Krebs writes that they probably assumed that the attack had been successfully fended off. Because the spread of ransomware in the IT network was prevented.
But the days turned out that this assumption was wrong. The intruders had managed to ransom tens of thousands of sensitive documents from the servers. The ransomware group is now beginning to publish the stolen documents. Among them are plans of vaults and monitoring systems of client banks. The Swedish news agency Dagens Nyheter confirmed that hackers recently published at least 38,000 documents stolen from Gunnebo's network online.
Linus Larsson, the journalist who published the story, says the hacked material was uploaded to a public server in the second half of September and it is not known how many people may have had access to it. Larsson quotes Gunnebo CEO Stefan Syrén, who said the company never considered paying the ransom that the attackers demanded in return for not publishing its internal documents. Moreover, Syrén seemed to play down the gravity of the revelation.
I understand that you can consider drawings as sensitive, but we do not automatically consider them sensitive. For example, when it comes to cameras in a public environment, half the problem is that they should be visible, so a drawing with camera placements is not very sensitive in itself.
It remains unclear whether the stolen RDP badges played a role in this incident. But the password for Gunnebo's RDP account – "password01" – suggests that the security of Gunnebo's IT systems may have been deficient in other areas as well. After Krebs posted a contact request from Gunnebo on Twitter, Rasmus Jansson, an account manager at Gunnebo, got in touch. Jansson was responsible for protecting client systems against electromagnetic pulse (EMP) attacks or interruptions.
Jansson told Krebs that he had passed on the stolen credentials to the company's IT specialists. But he did not know what measures the company had taken in response. Jansson told Krebs in a phone call that he had left the company in August. Corresponds to the time when Gunnebo announced the ransomware attack. Jansson refused to comment on the details of the ransomware attack.