Montreal tourist agency confirms cyberattack
The Montreal tourist agency admitted it was hit by a cyberattack early last month, one of many Canadian and American victim organizations claimed by the Karakurt hacking group.
“Tourisme Montréal can confirm that we were aware of a cybersecurity incident that we experienced on December 7e”, Declared Tuesday Francis Bouchard, director of corporate communications and public affairs of the agency.
“We immediately engaged security experts to further investigate this matter and ensure the integrity and security of our systems. “
The investigation is underway, he added, in particular to identify data that may have been affected. Employees and partner agencies have been warned, he added.
Bouchard declined to comment on how the agency was compromised, whether the stolen data contained personally identifiable information or what the attacker was asking for.
Tourisme Montréal (known in English as Visit Montréal) represents 900 members, partners and stakeholders in the tourism industry to promote the city.
Bouchard’s statement comes after a hacking group called Karakurt listed Visit Montreal in a December 29 post as one of 11 organizations that were reportedly compromised recently.
They include a Quebec construction company, a Quebec-based bathroom designer, a Canadian First Nation, a western Canadian data management company, and a western Canadian-based heavy equipment manufacturer. ITWorldCanada.com attempts to verify these allegations. Alleged victims in the United States include a credit union, a human resources company, an asphalt maker, and a digital media company.
Karakurt’s post, dubbed his Winter Data Leak Digest, states that “the amount of data we got speaks for itself. Which means there is a big hole in the IT department that allowed us to exfiltrate whatever we wanted.
According to Accenture, Karakurt is a financially motivated threat group that were first spotted last June and began to escalate attacks at the end of the third quarter. He claims to have killed more than 40 people in several areas between September and November alone.
Unlike most ransomware attacks that encrypt data, Accenture claims that Karakurt only focuses on data exfiltration and extortion, threatening to release or sell the stolen data unless it is paid for.
However, Brett Callow, a British Columbia-based threats analyst at Emsisoft, notes that what the gang is actually doing with the stolen data is not entirely clear. “They claim it will be sold but, although there is an auction page on their website, it is just 404 [a “page not found” error message] and has done so since the site was launched, ”he said.
While the gang varies its tactics depending on the victim, Accenture says it often uses a “living off the land” approach – meaning it takes advantage of the tools and weaknesses of an IT environment. victim – and often avoids the use of common post-exploitation tools. like Cobalt Strike.
If the exfiltration-only model proves effective, Callow believes more gangs will adopt it this year because it is less risky than traditional encryption-based attacks. “They can still extort money, but probably think that there is less risk of attracting the attention of international law enforcement agencies because their attacks will not disrupt the flow of oil or the provision of medical care. health, ”he said.