By publishing stolen data, hackers are increasing the pressure on Stadler and claiming six million dollars

The first data has surfaced on the Internet that cybercriminals stole from the rail vehicle manufacturer. They blackmail Stadler with the threat of publishing further data. A security expert strongly advises against communicating with the perpetrators, let alone paying.

Production at Stadler continues: factory at the headquarters in Bussnang.

Picture: Urs Bucher

Rail vehicle manufacturer Stadler publicized a cyberattack on its IT network three weeks ago. The unknown perpetrators have therefore attacked the system with malware (ransomware) and stolen data of unknown dimensions. Stadler’s criminals want to extort “large amounts of money” by threatening to publish the data.

Now some light seems to come into the dark: On a recently opened Twitter account called Ransom Leaks, first pictures of the alleged data theft have appeared. The “Tages-Anzeiger” made this public.

Stadler does not want to get involved with the extortionists

Stadler confirms the publication of data and documents on request. Stadler was extorted into Bitcoin for a total of $ 6 million, as company spokeswoman Marina Winder writes. And further:

“Stadler is and was never prepared to make payments to the extortionists and did not enter into the negotiations.”

As a result, the perpetrators have now published Stadler’s internal documents “to harm Stadler and his employees”. These are confidential documents and data that Stadler stole by criminal means.

Stadler boss Peter Spuhler: The cybercriminals want to extort six million dollars from his company.

Stadler boss Peter Spuhler: The cybercriminals want to extort six million dollars from his company.

Picture: Urs Bucher

Notes on annual financial statements, loan agreements, land purchase

Stadler also points out that the use and use of the documents and data is illegal, supports crime and supports a steady increase in further cyber attacks on companies of all kinds. Stadler has initiated criminal proceedings and is cooperating with all the relevant authorities. The Thurgau public prosecutor’s office is investigating. Because the entire group of companies is affected by the cyber attack, Stadler contacted the data protection authorities in all countries with branches.

The pictures published on Twitter show references to annual financial statements, budgets, a syndicated loan agreement with UBS, the ruling with the canton of Thurgau regarding tax relief, documents in connection with Stadler’s auditing company KPMG, construction projects at the Altenrhein location or a land purchase in Erlen, where Stadler is located inaugurated its new commissioning center ten years ago. All of the data appear to be older and to be from 2008 to 2016.

Perpetrators threaten further releases

Image on Twitter, which is supposed to prove the data theft at Stadler.

Image on Twitter, which is supposed to prove the data theft at Stadler.

Image: Twitter

In the ransom leaks tweet, the extortionists say that they have now published a first part of the data that they have captured with malware called Nefilim when they attacked Stadler. This shows that you have the data and gives Stadler a chance to pay before otherwise publishing part two of the data.

Another Twitter picture shows mainly documents related to Stadler's auditing company KPMG.

Another Twitter picture shows mainly documents related to Stadler’s auditing company KPMG.

Image: Twitter

When things could get tricky for Stadler

Stadler had emphasized that the back-up data from the allegedly stolen data were working. Therefore, the production of new trains and the provision of services can continue as usual.

The hackers therefore threaten to publish data. This can be tricky for Stadler if data about employees or customers is published.

The Australian Toll Group was also infiltrated

If malware called Nefilim was actually used when attacking Stadler, this would not be the first case. The Australian transport and logistics company Toll is also affected.

This was infiltrated by Nefilim at the beginning of the month, with the hackers gaining access to pay lists, among other things. In February, the Toll Group’s IT systems had already been significantly damaged by an attack with malware called Mailto.

This is how a security expert judged Nefilim

In a two-month-old article on the security portal, its founder Tomas Meskauskas writes about Nefilim. This malicious program works by encrypting the data of infected systems using cryptographic algorithms that cannot be decrypted using third-party software.

According to Meskauskas, decryption is not possible without the unique decryption key that is owned by the cybercriminals. These criminals promise to restore the affected data quickly and safely if their demands are met.

Usually a period of seven days

The perpetrators also claim to have filtered out a large amount of data. The hacked company is usually asked to contact you within seven working days, otherwise the data would be published. The same thing happens if the perpetrators’ demands for money are not answered.

Meskauskas strongly advises against communicating with criminals and meeting criminals’ requirements. Because, despite payment, victims often do not receive the tools necessary to restore their data, or they are published despite payment.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.