Brenntag headquarters in Essen: Affected is the North American subsidiary
Photo: Thomas Robbin / imagebroker / imago images
The reports of cyber attacks from the environment of the hacker group Darkside suspected in Russia continue: After the case of the US company Colonial Pipeline caused a worldwide sensation, on Friday the electronics company Toshiba announced that it had fallen victim to Darkside in Europe.
And a report by the online tech magazine “BleepingComputer” revolves around another important company: Brenntag, a German chemical dealer that claims to be the world market leader in the distribution of chemicals and ingredients with more than 17,000 employees.
"BleepingComputer" writes that an attack in early May hit the North American subsidiary of the Essen-based company, which employs around 5,000 people.
Devices in the network of that subsidiary were encrypted and files were fished.
According to an anonymous source in the magazine, the attackers obtained a good 150 gigabytes of company data.
Brenntag only answers questions from SPIEGEL about the article in general.
"Brenntag faced a case of compromised information security in North America," is the full answer.
»Brenntag North America then disconnected the affected systems from the network and immediately commissioned cybersecurity and forensics experts to assist with the investigation.
Brenntag takes the protection of its systems and data very seriously. "
No details, but no denials either.
The hacker group Darkside, meanwhile, apparently brags of having fished nondisclosure agreements and chemical formulas, as well as documents from the accounting department.
This is evident from the screenshots that "BleepingComputer" shows in its report.
Regarding the attack route, the hackers say nebulously that access to the company network was "bought".
Criminals with their own hotline
Darkside is considered a highly professional group.
According to IT security companies, the association of cyber criminals even operates a support hotline that victims of their ransomware can use to negotiate the amount of ransom payments.
In ransomware attacks, files and drives are encrypted on target computers or in entire networks.
The perpetrators offer their victims, in return for payment of a ransom ("ransom"), to provide them with a key with which the files can be decrypted again.
In the meantime, it often happens with ransomware attacks that the attackers also fish off data and threaten to publish it - as a kind of second blackmail.
Darkside attacks also fall into this category.
At Colonial Pipeline, for example, the operator of the largest US pipeline, Darkside is said to have acquired almost 100 gigabytes of internal data.
Darkside offers its ransomware to third parties as a service based on the Ransomware-as-a-Service (RaaS) principle.
This means: It does not always have to be the core group itself that carries out an attack - however, Darkside is involved with a certain percentage if an attack leads to a ransom payment.
"Our goal is to make money, not problems for society."
Statement from Darkside
The Federal Office for Information Security (BSI) told SPIEGEL at the beginning of the week that the Darkside malware was one of the "more prominent and progressive ransomware variants that are actively used."
Darkside attacks are "opportunistic according to the local assessment," wrote the BSI, "and are not aimed specifically at a country or a sector."
After the attack on Colonial Pipeline, Darkside said: "Our goal is to make money, not problems for society."
Meanwhile, it seems clear: Darkside's criminal business works.
According to news service Bloomberg, Colonial Pipeline paid the group the equivalent of five million dollars in ransom, allegedly only hours after the attack.
In the case of Brenntag, too, a lot of money is said to have flowed on Tuesday.
"BleepingComputer" reports on the basis of its informant and a look at a Bitcoin transaction that a ransom of the equivalent of $ 4.4 million had been paid.
However, the company left a request from SPIEGEL on the subject of ransom uncommented.