Coca-Cola Investigating Claims that a Ransomware Gang Stole Sensitive Data

The Stormous ransomware gang announced earlier this week that it had hacked Coca-Cola and stolen 161 gigabytes of data.

The group have put the information up for sale on the dark web, requesting just over $64,000 (about £51,000) in bitcoin. It’s a surprisingly low sum for the amount of information reportedly stolen and the reputation of the victim.

By comparison, a report published last year found that US firms pay $6 million on average in ransomware demands.

However, there remains some doubt whether the gang’s claim is true. When asked to confirm the incident, the company’s global vice president of external and financial communications, Scott Leith, said: “We are aware of this matter and are investigating to determine the validity of the claim. We are coordinating with law enforcement.”

Meanwhile, Digital Shadows Senior Cyberthreat Intelligence Analyst Chris Morgan, added:

“There are screenshots reportedly highlighting documents taken from Coca Cola’s network. However, these cannot be independently verified.”

An unusual attack

Coca-Cola’s hesitance to confirm this incident should make anyone suspicious about the veracity of Stormous’s claim.

There usually isn’t much doubt about whether you’ve been hit by ransomware. Either your systems have been crippled and you’ve received an extortion demand or you haven’t.

Unlike most cyber attacks, ransomware isn’t designed to sneak in undetected and exfiltrate data before the organisation closes the vulnerability. It instead takes a shock-and-awe approach, crippling the victim’s system, encrypting sensitive data and making it obvious that an attack is underway.

Not only that, ransomware attacks typically make it obvious who has instigated the attack, with gangs providing a note demanding that the victim makes a payment – usually in cryptocurrency – to receive the decryption key to unlock the compromised data.

That Coca-Cola is unsure whether this happened suggests that this isn’t a typical ransomware attack. Indeed, there are signs on Stormous’s Telegram channel that point to that.

Prior to the attack, the criminal hacking gang posted a poll giving respondents the chance to vote on who Stormous should target next.

Source: Security Affairs

Coca-Cola received an overwhelming majority of the votes, beating out the toy maker Mattel, the online education platform Blackboard, the tech firm Danaher and General Electrics’ aviation subsidiary.

Cyber criminals rarely target specific organisations in this way, and certainly not publicly. Ransomware works by exploiting a vulnerability in the target’s system, enabling the malware to spread and encrypt sensitive data.

Unless the gang had already identified vulnerabilities in each of those organisations, they would be taking a risk in assuming that they would later find one.

The proliferation of ransomware, with at least 401 publicly disclosed incidents in 2021, suggests that their confidence in finding an exploit is justified, but there’s no guarantee that every organisation is susceptible.

One possibility for the criminal hackers’ faith is if they intended to target the chosen organisation with a phishing scam.

Employees are widely considered to be the weakest part of any organisation’s systems because there is no technology that can eradicate the risk of someone clicking on a malicious link or downloading an infected file.

Although it’s not known how Stormous accessed the stolen information – or indeed if its claim is authentic – this is the most likely way they would target Coca-Cola.

A scavenger hunt

If a phishing attack isn’t to blame, then what is the most likely alternative? According to some researchers, this attack – like others that Stormous has taken credit for – is a scam.

It’s not unusual for cyber criminal gangs, seeking notoriety within dark web circles, to embellish their activities and hacking prowess.

As Chris Morgan notes, this also raises the gang’s profile within legitimate circles and makes victims more likely to pay up.

But Morgan isn’t confident that Stormous broke into Coca-Cola’s systems at all. “It is also realistically possible that Stormous may be involved in ‘scavenger operations’,” he wrote.

This “indicates a cybercriminal actor attempting to extort companies whose data had been breached by another threat actor in a previous attack.”

Another angle to this story is that Stormous, a group of Arabic-speaking hackers, has previously publicly supported the Russian invasion of Ukraine.

In a Twitter post earlier this year, the group said it intended to target the Ukrainian foreign ministry.

Notably, every one of the organisations listed in Stormous’s poll of potential victims was based in the US, whose government has strongly backed Ukraine.

Meanwhile, Coca-Cola is one of several US companies that have boycotted Russia following the invasion. The organisation also announced that it was donating €1 million (about £830,000) to support the Red Cross in Ukraine and a further €550,000 (£455,000) to support refugees in neighbouring counties.

It remains to be seen whether Stormous genuinely breached Coca-Cola, but the motivation behind their claim may well be politically motivated.

We have already seen actors on both sides of the conflict use cyber attacks and security measures as propaganda in the war effort. As those stories continue to play out, it’s worth remembering that bogus or exaggerated claims can play out online as well as on the battlefield.

At the time of writing, Coca-Cola has not released any further updates on the incident.