The ALPHV ransomware operation, aka BlackCat, has published screenshots of internal emails and video conferences stolen from Western Digital, indicating they likely had continued access to the company’s systems even as the company responded to the breach.
The leak comes after the threat actor warned Western Digital on April 17th that they would hurt them until they “cannot stand anymore” if a ransom was not paid.
A March cyberattack
On March 26th, Western Digital suffered a cyberattack where threat actors breached its internal network and stole company data. However, no ransomware was deployed and files were not encrypted.
In response, the company shut down its cloud services for two weeks, including My Cloud, My Cloud Home, My Cloud Home Duo, My Cloud OS 5, SanDisk ibi, and SanDisk Ixpand Wireless Charger, together with linked mobile, desktop, and web apps.
TechCrunch first reported that an “unnamed” hacking group breached Western Digital, claiming to have stolen ten terabytes of data.
The threat actor reportedly shared with TechCrunch samples of the stolen data, which included files signed with Western Digital’s stolen code-signing keys, unlisted corporate phone numbers, and screenshots of other internal data.
The hackers also claimed to have stolen data from the company’s SAP Backoffice implementation.
While the intruder claimed not to be affiliated with the ALPHV ransomware operation, a message soon appeared on the gang’s data leak site, warning that Western Digital’s data would be leaked if they did not negotiate a ransom.
ALPHV taunts Western Digital
In a further attempt to taunt and embarrass Western Digital, security researcher Dominic Alvieri told BleepingComputer that the hackers released twenty-nine screenshots of emails, documents, and video conferences related to the company’s response to the attack.
When a company discovers they are breached, one of the first countermeasures is to learn how the threat actor gained access to the network and block the path.
However, there is sometimes a gap between detection and response, allowing the adversary’s access to persist even after an attack is detected. This access allows them to monitor the company’s response as well as steal more data.
From the screenshots leaked by ALPHV, the threat actors are implying that they had continued access to some of Western Digital’s systems as they show video conferences and emails about the attack.
One image includes the “media holding statement” and another is an email about employees leaking information about the attack to the press.
Included with the leaked data is another message from the threat actors, where they claim to have customers’ personal information and a complete backup of WD’s SAP Backofffice implementation.
While the data appears to belong to Western Digital, BleepingComputer could not independently verify its source or if it was stolen during the attack.
At this time, Western Digital is not negotiating a ransom to prevent the leak of stolen data, which sparked further threats from the hackers.
“We know you have the link to our onion site. Approach with payment prepared, or [redacted] off. Brace yourselves for the gradual fallout,” reads ALPHV’s new warning to Western Digital.
Western Digital declined to comment regarding the leaked screenshots and claims by the threat actors.