Hackers have broken into an internet infrastructure firm that provides services to dozens of the world’s largest and most valuable companies, including Oracle, Volkswagen, Airbus, and many more as part of an extortion attempt, Motherboard has learned. The attackers have also released data from all of those companies, according to a website seemingly set up by the hackers to distribute the stolen material.
Citycomp, the impacted Germany-based firm, provides servers, storage, and other computer equipment to large companies, according to the company’s website. Michael Bartsch, executive director of Deutor Cyber Security Solutions, a firm Citycomp said was authorized to speak about the case, confirmed the breach to Motherboard in an email Tuesday.
“Citycomp has been hacked and blackmailed and the attack is ongoing,” Bartsch wrote. “We have to be careful as the whole case is under police investigation and the attacker is trying all tricks.”
Do you know anything else about this breach? You can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com
On a website apparently created to distribute Citycomp client data, the hackers claim they are in possession of “312,570 files in 51,025 folders, over 516GBb data financial and private information on all clients.” Some of the clients include Ericsson, Leica, Toshiba, UniCredit, British Telecom, Hugo Boss, NH Hotel Group, Oracle, Airbus, Porsche, and Volkswagen, according to a list of the victims on the website.
It appears the data may relate to German offices of those companies. Several entities in the victim list have the “GmbH” title; the German term for a limited liability company. Two supermarkets popular in Germany, REWE and Kaufland, are also included.
“We have informed and warned all concerned clients,” Bartsch said.
“There was full transparency about the attack and theft as well as public release of the data with our clients from the very beginning. The support is unanimous,” he added.
Before Bartsch’s confirmation, Motherboard contacted multiple Citycomp clients on Monday. A BT spokesperson told Motherboard in an email, “Our cyber security team is currently investigating this issue so unfortunately we’re not in a position to provide you with any comment right now.”
A Volkswagen spokesperson said in an emailed statement, “Volkswagen is currently investigating an online data breach that occurred at Citycomp, one of its suppliers. Volkswagen takes the protection of personal and corporate data very seriously. Citycomp is cooperating with our investigations to establish the scale of the data breach.”
A Porsche spokesperson wrote in an email, “We have already been aware of this topic. Porsche is at the moment working on it together with Citycomp in order to clarify the details as digital security is very important for us as a company.”
“We have to be careful as the whole case is under police investigation and the attacker is trying all tricks.”
Some files are publicly available for download on the data site. Some victims only have one, two or three files listed, while others have hundreds.
The post said that the files would be released on April 31st, 2019 (there are only 30 days in April).
On the data website, the hackers included an email address to contact them. That email is also the contact address for at least one previous ransomware campaign. In an email, the hacker or hackers, who went by the handle Boris Bullet-Dodger, confirmed the attack was financially-motivated, and said that they demanded $5,000 from Citycomp.
Boris claimed they were inside Citycomp's systems for just over a month, and that they targeted Citycomp specifically because “they have an [sic] totally awful security system.”
When asked if they planned to extort the client companies as well, Boris wrote, “no, these companies are not guilty of awful work of citycomp.”
Increasingly, hackers have threatened to release or simply dump data belonging to a victim in order to pressure them into paying a ransom. Bartsch said the company has not given in to such a demand, though.
“We did not yield to the extortion demands and our analysts are conducting a profound technical and forensic analysis on the attack,” he wrote.
Update: This piece has been updated to include that the attackers' email address is also linked to a ransomware campaign and to include comment from them. It has also been updated to say that the files are now available for download, and it has been updated with brief emailed comments from British Telecom, Volkswagen, and Porsche.
Subscribe to our new cybersecurity podcast, CYBER.