A gang of ransomware hackers claim data theft at Investissement Québec and Rio Tinto.
On its site in the hidden web (dark web), the Clop group claims to have stolen information from the state-owned company and the mining giant. Contacted by La Presse, Investissement Québec explains that a “privacy incident” affected a file sharing platform it uses, GoAnywhere MFT by Fortra.
“Some personal information about employees and former employees is at issue,” said vice-president of communications Gladys Caron. All staff are affected.
The Journal de Montreal had revealed in February that the staff of the state company had been the victim of a data theft, without giving information on the compromised supplier or on the gang responsible for this cybercrime.
She adds that the organization’s clients “are not at risk.” As for the compromised data on its personnel, “all adequate measures have been implemented to protect it”, says Gladys Caron.
Investissement Québec says no more “for security reasons”.
So far, Clop hasn’t released any information stolen from the state corporation, while data from many other victims of the gang can be found on his site.
Investissement Québec manages a $6.1 billion portfolio for the government.
The Clop ransomware group has also added Rio Tinto to the list of its victims on its site, still without publishing files for the moment. The multinational has a strong presence in Quebec in the aluminum and iron sector. It was not immediately possible to obtain his comments.
The Toronto investment fund Onex is also among the victims of cybercriminals.
In February, Clop would have contacted a journalist from the specialized site Bleeping Computer, to whom he explained that he had found a new vulnerability (zero-day) in the GoAnywhere file transfer tool. By exploiting it, the gang claims to have been able to steal information from 130 organizations that use it in 10 days.
Bleeping Computer had been unable to independently confirm these claims.
On Wednesday, a spokesperson for Onex reportedly anonymously acknowledged that hackers had reached it through this service, according to the specialized site IT World Canada.
If Clop still hasn’t released information on Investissement Quebec, Rio Tinto and Onex, the gang could do so quickly, as it did with other victims of the attack on GoAnywhere. “They seem to be moving really fast in this case,” said Brett Callow, threat analyst at antivirus firm Emsisoft.
“This is the second time that Clop has exploited vulnerabilities in a file exchange platform,” notes the expert. In 2021, the gang had hit the Accellion FTA platform and stole information on military technology from Bombardier Aerospace and data from the City of Toronto.
Hackers regularly post new names of alleged victims of their attack on GoAnywhere, and Brett Callow expects to find other Canadian organizations there, “in both the public and private sectors.”
