Luka Rijeka, a company that offers maritime transport, port, storage of goods and forwarding services in Rijeka, Croatia, has been hacked by the 8Base ransomware group.
The group claimed the attack on their dark web data leak site and professed that they’ve managed to grab the company’s invoices, receipts, employment contracts, personal data and files, accounting documents, and “a huge amount of confidential information”.
If the company does not pay the ransom, they plan to publish the stolen documents on Tuesday, December 10.
What happened?
Marko Mišković, a member of the company’s management board, confirmed for local news outlet Novi List that the attack was detected on November 30 (Saturday), and that the company’s IT service preemptively shut down the entire IT system. The relevant authorities have been appraised of the situation.
“As for the data that the attackers may have stolen, it is difficult to determine with certainty, but we are a company that is listed on the stock exchange, all our financial reports are publicly available, as well as our customer tariffs set by the Port Authority, so there are no particular secrets,” he said.
“We cannot say with certainty whether any personal data was downloaded from someone’s computer, but the damage to the [company] is non-existent, for now.”
The company has backups of all its data, he said. The IT system was restored on December 2 and is now fully functioning.
Marina Cesarac Dorčić, another Luka Rijeka board member, said that the company did not receive a demand for ransom.
“Our IT department is still reviewing all processes and situations, but for now everything is under control,” she told Večernji List.
“I would like to mention that in Luka Rijeka we are aware of such situations because five years ago we experienced a hacker attack, after which we raised the level of protection of our data to the highest possible level. This is exactly why we had no damage from this hacker attack; all our data and documents are protected and there was no threat to us or our business partners.”
About 8Base
8Base has been operating since early 2022. It offers ransomware-as-a-service and uses a customized version of the Phobos ransomware. It employs double extortion tactics: encrypts and exfiltrates data and threatens to leak it.
Despite being quite active in 2023, the group stop posting entries on their leak site from June through September 2024.
“The group made a brief resurgence in late September, establishing their data leak site on new hosting services and publishing data from several compromised victims. This revival was short-lived, as 8base ceased activities again in October 2024,” Trellix researchers said.
“There are speculations that 8base’s periods of inactivity might be connected to the Phobos ransomware operations decline, suggesting possible shared affiliates or operators between the two groups. The simultaneous quiet periods could potentially be attributed to law enforcement actions affecting both ransomware gangs’ operations.”
But, it seems that they are back in action.
Aside from Luka Rijeka, they also claim to have breached Madrid-based Originpath Group, Canadian company Mint Pharmaceuticals, and Japanese manufacturing company Iseki Agricultural Machinery.
But what data, if any, has actually been compromised is currently unknown. (8Base’s posts for each of these companies are boilerplate: they list the same type of data, in the same order.)