Coca-Cola Investigates Data-Theft Claims After Ransomware Attack
The Russian-speaking ransomware group Stormous is claiming to have stolen 161GB of data from Coca-Cola — and it’s offering to sell the supposed cache for 1.65 Bitcoin (about $64,000).
But when asked for confirmation of the breach by Dark Reading, Coca Cola’s global vice president of external and financial communications, Scott Leith, provided the following statement: “We are aware of this matter and are investigating to determine the validity of the claim. We are coordinating with law enforcement.”
According to Chris Morgan, senior cyberthreat intelligence analyst at Digital Shadows, “There are screenshots reportedly highlighting documents taken from Coca Cola’s network. However, these cannot be independently verified. Some researchers have suggested that many of their attacks are either a scam or the group is exaggerating their claims. This is not uncommon for cybercriminal groups, who often embellish the details of their activity in order to coerce victims into paying a ransom.”
He also told Dark Reading, “It is also realistically possible that Stormous may be involved in ‘scavenger operations,’ which indicates a cybercriminal actor attempting to extort companies whose data had been breached by another threat actor in a previous attack.”
John Bambenek, principal threat hunter at Netenrich, notes that the comparatively small ransom demand is also perplexing.
“Stormous has had a history of making headlines of stealing large amounts of data from its ransomware victims,” he said via email. “However, with the very low amount they are requesting for the dump from Coca-Cola, I’m somewhat suspect that they have truly valuable information and certainly they aren’t selling it exclusively to anyone. From Stormous’ description, it doesn’t seem like the most valuable trade secrets are in the dump file (or that Stormous can’t tell if they are there).”
Bambeneck added, “What’s important for any organization in this kind of position is to rapidly assess what information was taken and what its value is to inform decision makers in situations like this where days of analysis just aren’t in the cards.”
For its part, Stormous has previously been linked with Russia, according to researchers, and has breached data from Ukrainian companies in the past.
“With the ongoing hostilities between Russia and Ukraine, and with America supporting Ukraine in their defense, it is not surprising that pro-Russian groups have decided to target American organizations for attack,” said Erich Kron, security awareness advocate with KnowBe4, in a statement about the reports.