Attacks and Vulnerabilities
Critical infrastructure
Malware, Phishing & Ransomware
News
Utilities: Energy & Power, Water, Waste

Tata Power data being leaked by Hive ransomware group, after negotiations likely fail

October 26, 2022
Tata Power data being leaked by Hive ransomware group, after negotiations likely fail

News reports on Tuesday identified that the Hive ransomware-as-a-service (RaaS) group has begun leaking data stolen from India’s Tata Power Energy Company. Less than two weeks back, the hacker group claimed responsibility for a cyber attack against Tata Power that was confirmed by the company.

In screenshots seen by BleepingComputer, Hive operators posted data they claim to have stolen from Tata Power, indicating that the ransom negotiations failed. Operators behind the Hive ransomware group began leaking data allegedly stolen from Tata Power on their leak site.

A cybersecurity analyst and researcher Dominic Alvieri wrote in a Twitter message “Hive breaches Tata Power of India.”

Another cybercrime explorer and security researcher Rakesh Krishnan wrote in another Twitter message that the Tata Power leak contains personally identifiable information (PII), including Aadhaar identity numbers, permanent account numbers (PAN), graduation details, drivers’ license information, salary specifics, and engineering drawings. He also said that the leak contains “Financial Records – 20 Bank Records Client Contracts.”

Mumbai-based Tata Power, formerly a part of the three entities jointly known as Tata Electric Companies, is a pioneer in technology adoption. Along with its subsidiaries and joint entities, Tata Power has a generation capacity of 13,735 MW of which 35 percent comes from clean energy sources. The company has the distinction of being among the top private players, steering the energy sector on technology, process, and platform. Powering emerging technologies for the ‘smart’ customer, Tata Power’s latest business-integrated solutions, focusing on mobility and lifestyle, are poised for multi-fold growth.

Hive operators claim that they encrypted Tata Power’s data on Oct. 3. In a filing to the Bombay Stock Exchange (BSE) on Oct. 14 that “the Tata Power Company Limited had a cyberattack on its IT infrastructure impacting some of its IT systems.” 

The filing added that the company has taken steps to retrieve and restore the systems, H. M. Mistry, the company secretary, wrote in the filing. “All critical operational systems are functioning; however, as a measure of abundant precaution, restricted access and preventive checks have been put in place for employee and customer facing portals and touch points. The Company will update on the matter going forward,” he added.

Intel 471 said in a recent report that it observed 455 ransomware attacks during the third quarter of 2022, a decrease of 72 attacks recorded from the second quarter this year. It identified that the most prevalent ransomware variants in descending order were LockBit 3.0, Black Basta, Hive, and ALPHV aka ALPHV-ng, BlackCat. The most prevalent ransomware strain this quarter was LockBit 3.0, which was responsible for 42.2 percent of all reported incidents, followed by Black Basta at 11 percent, Hive at 9.23 percent, and ALPHV at 6.6 percent. 

In August this year, an alleged operator of the Hive ransomware revealed they used phishing emails as an initial attack vector, Intel 471 said in its report. “The actor allegedly leads a team of network hackers that targets businesses of all sizes in Australia, Canada, the U.K., and the U.S. Actors deploying the Hive ransomware often leveraged phishing campaigns to provide initial access and distribute their malware.”

The report also identified that most of these phishing campaigns are drafted in the English language, which narrows the target set but allows actors to refine their product and tailor social-engineering campaigns to a focused audience. This likely reduces resource expenditure and increases the chance of success.

Intel 471 identified that the most-targeted sectors by the Hive ransomware variant were consumer and industrial products at 19.1 percent, followed by professional services and consulting, technology, media and telecommunications and manufacturing at 16.67 percent each. The group also breached the life sciences and healthcare sector at 11.9 percent and the energy, resources and agriculture sector at 9.5 percent. Other sectors accounted for 4.76 percent or less of ransomware events associated with Hive.

Commenting on the Tata Power ransomware incident, Edward Liebig, global director of cyber-ecosystem at Hexagon Asset Lifecycle Intelligence wrote in an emailed statement that with the release of corporate employee data by the Hive Ransomware Group it seems that ransom negotiations have failed. 

“Let’s face it, even if negotiations are successful, there is still only a 50%/50% chance of recovery of the encrypted assets,” Liebig said. “The decision to pay or not to pay is a business call. If the organization is in a very vulnerable position (recovery of assets is  not possible), if there is a chance for extremely damaging information to be compromised, or if the potential business impact far outweighs the ransom payment, then the business may decide to pay,” he adds.

“There is another aspect to consider in this scenario and that is the rules of the cyber insurance carrier,” Liebig said. “Some cyber insurers prohibit the payment of a ransom. This means that a ransomware Incident Response (IR) playbook must have a very defined and comprehensive declaration and approval process that goes to the top of the  executive team.”

Liebig also points out that the “best way to defend against ransomware is to never let it take root in your systems. The next best way is to have a bullet proof, trusted recovery strategy to minimize downtime  and eliminate the ‘ransom’ debate.”

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
Mandiant exposes APT44, Russia's Sandworm cyber sabotage unit, targeting global critical infrastructure
Mandiant exposes APT44, Russia’s Sandworm cyber sabotage unit, targeting global critical infrastructure
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Armis
Armis acquires Silk Security for $150 million to enhance AI-driven cybersecurity capabilities
Nozomi discovers five vulnerabilities in AMI MegaRAC SP-X BMC, exposing OT, IOT devices to RCE attacks
Nozomi secures US$1.25 million US Air Force contract to boost DoD critical infrastructure security
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness
CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow's emergency detection systems
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow’s emergency detection systems