Rachelle Younglai reports: Detour Gold Corp. is reaching out to former and current employees to tell them that their personal information may have been compromised due to a cyber attack. Detour, which operates one gold mine in Ontario, did not say when its server was hacked or how many employees have been affected by the security breach. […] As far back as April, the website databreaches.net had warned Detour that its system had been compromised, exposing confidential data such as employees’ social insurance numbers and information on Detour’s deals. Read more on The Globe and Mail. The following is the full text of Detour Gold’s press release, which appears on their web site: TORONTO, ONTARIO–(Marketwired – June 30, 2015) – Detour Gold Corporation (TSX:DGC) (“Detour Gold” or the “Company”) has been the subject of an illegal breach of its IT systems which has resulted in confidential information, including company and personnel information, being accessed and disclosed by hackers. The Company has determined that the stolen information includes personal information of Detour Gold’s employees (current and former) as well as of individuals to whom Detour Gold made a formal offer of employment. External and internal IT experts are continuing to assess the risks of further illegal access to Detour Gold’s systems and are taking steps to eliminate such risks. We are also continuing to investigate the source of the breach and are in contact with the police and federal authorities who are assisting the Company. We are also taking steps to reduce the risk of further confidential information being accessed by establishing additional safeguards within our systems. Our highest priority, and the primary reason for issuance of this news release, is to help those people whose personal information was compromised to protect themselves against the unauthorized use of their personal information. We are in the process of contacting former employees and individuals who received offers of employment from Detour Gold who may have provided personal information to us in that context. While we are endeavoring to contact all people affected by this, if you fall within one of these groups and have not yet been contacted by Detour Gold, please contact us immediately in order to receive identity theft monitoring services which the Company is making available through a third party service provider. You can reach us via: Telephone access: Toll-free (North America): 1-855-870-8647 Cochrane, Ontario: 647-847-2089, ext. 4367 Email: [email protected]
Since April, DataBreaches.net has been reporting on the hack of a small Canadian gold-mining firm, Detour Gold. As noted in April, hackers who call themselves Angels_of_Truth claim to have hacked Detour Gold in revenge for Canada’s economic sanctions on Russia. Their statements have been written in both English and Russian. Following the first paste and dump, the hackers contacted DataBreaches.net in May, and again this past week, to point this site to additional data dumps that indicate that the hackers had (and appear to still have) access to Detour Gold’s system. Consistent with this site’s policy of not directly linking to data dumps that include personal information, DataBreaches.net did not publish the urls for the data dumps and pastes. That information has begun to circulate anyway, however, which means that Detour Gold employees are now at even greater risk of identity theft and the company’s corporate information and accounts are more widely available to those who might misuse the information. As but one example, one of the files the hackers sent to this site included all credit card details on a corporate credit card used by the firm’s CEO. The authorization form included images of the front and back of the credit card, his signature, and a photocopy of his driver’s license with his date of birth and all other details. The credit card number is not an expired number unless Detour Gold has since cancelled it. Lee J. of CyberWarNews.info has analyzed the 18 GB dump of Detour Gold corporate and employee information and has uploaded his analysis here. Note the wealth of employee information, most of which was not encrypted. Lee reports that information was available on a total of 1,312 on-site and off-site employees, with credentials sorted into folders with insurance, health and driver’s license details. Of these 1,312 employees, 1,161 were current employees, 127 were terminated employees, 70 were individuals who had been offered employment but had not accepted the offer, and 22 were on pending position offers. Information on the employees includes: Background checks Declaration of criminal record documents Criminal information centre documents Social Insurance numbers, Health card Numbers, Driver’s License Numbers, Full names, Dates of birth, signatures, emails, phones, home addresses, background history from Very detailed resumes, banking information and related payroll information. Employment conditions, offers, terms and information such as salaries and duties. Interview notes, this includes full copies of the application Reference check forms used as a checklist of what to ask and the answers given. Fitness to work assessments Students’ details from “summer employment offers” which include full names, dates of birth, home addresses, study information as well as above already mentioned information There were 1,049 unique Social Insurance Numbers for the entire data dump. In other words, more than enough information to accomplish identity theft. In addition to the risk of identity theft, detailed documents concerning the termination of employment reveal transgressions by named employees that they might not wish to see in the public domain. And of course, this is all apart from the company’s proprietary information that has also now been dumped for the public. When asked about the lack of encryption, Lee informed DataBreaches.net: My analysis found that at least 98% of the material was unencrypted. Some payroll information is protected, but I suspect that it would be relatively easy to crack the protection. Detour Gold has stored a lot of clear text credentials in very obvious files, which makes it very understandable how a breach of this magnitude has happened. But who are the Angels_Of_Truth? Are they really Russian hackers? It’s hard to believe that Russian hackers would target such a small firm instead of a government agency or larger corporation if they want to make a political point. Attempts to reach the hackers using an email address that had worked in the past failed to reach them yesterday. Hopefully, if they see this post, they will get in touch with this site.
Update and Correction: The hacker(s) is/are likely not Russian, but Canadian. If you’ve been employed by Detour Gold at any time since 2007, your personal information may already have been acquired and dumped by Russian hackers – including your name, date of birth, salary information, employment details, and Social Insurance Number. And if your employment history included any medical, disability, or disciplinary records, they may be exposed on the Internet now, too. On April 21, and again on May 3, this site reported that Detour Gold Corporation (TSX: DGC) appeared to have been massively hacked with corporate and employee information dumped. In response to the hackers’ claims that they still had access to Detour Gold’s databases, Detour Gold’s IT Manager, Reza Alirezaei, had informed DataBreaches.net, “We are monitoring our network perimeters with the monitoring tools we have and we don’t see any suspecious activities.” Perhaps they can see it now. The hackers, who call themselves the Angels_Of_Truth, have dumped even more data. Inspection of what they sent DataBreaches.net indicates that the data dump includes employee information that was generated after the April 21st date of their first dump – and includes files dated as recently as May 20, 2015, supporting their claim that they have had ongoing access to Detour Gold’s system. The hackers write: Detour Gold seems to remain oblivious to the fact their computer network and all the personal customer / employee data as well as sensitive corporate data has been compromised. The network remains up online and all the data still unencrypted and available for all to see. We have taken over 100 Gigs of data from the Detour Gold computer network covering from 2007 – present day, yet again we have decided to leak more data, 18 Gigs of raw copies of some of the compromised documents are available via torrent download located here: [url redacted by DataBreaches.net as per this site’s policy concerning claimed data dumps that include personal information] the Angels_Of_Truth continue to maintain access to the Detour Gold network, even after we have already leaked data on two seperate occasions, this is our 3rd and largest data leak yet, with more to follow. As long as economic sanctions persist on Russia so will cyber attacks on the Canadian economic sector. (we included some SIN numbers at the bottom of the paste) So far, there doesn’t seem to be any impact on economic sanctions, but this appears to be one of the worst, if not the worst, hacks of a Canadian corporation. According to the hackers, data available in the torrent includes: employee/customer personal information, phone numbers, emails, mailing addresses employee/customer termination reports employee salary information bonus information and severance packages employee/customer SINS, scans of driver licenses birth certificates health cards contractors confidential deals Donations, political party donations credit card numbers, statements and transactions medical records, drug tests etc employee stock options IT rapid7 vulnerability reports legal documents invoices of expenses employee performance reviews employee T4’s and other tax documents and much more Inspection of what they submitted to DataBreaches.net appears to confirm their description. The Rapid7 audit report was generated April 26, 2015, and a copy of a political donation check reveals Detour Gold’s bank routing number and account number. A paste describing the data dump contains 37 Social Insurance Numbers of employees/customers. None of the data are encrypted. As noted above, Detour Gold stated on May 3 that they did not see any evidence the hackers still had access, but yesterday’s data dump includes more recent material such as the following employee termination letter, which is being redacted by DataBreaches.net to delete the employee’s details: Registered and Electronic Mail May 20, 2015 Confidential [First Name and Last Name Redacted] [Postal Address Redacted] Thunder Bay, ON P7C 5Z2 [redacted]@hotmail.com Dear [Redacted]: This letter serves to confirm your discussion with Larry Lazeski – Mine Operations Superintendent on May 20, 2015, advising you that your employment with Detour Gold is terminated effective immediately. In this regard, we are providing the following arrangement: […] [Redacted], we wish you well in your future endeavours. Sincerely, Craig Rintoul Open Pit Manager A letter to the same employee dated May 19, 2015 from Rintoul began: Dear [redacted] We attempted to contact you multiple times on May 15, 16, 17, 18 and 19 to discuss your employment status, however unfortunately we were unable to reach you. This letter will confirm our decision to terminate your employment effective May 19, 2015. The decision to do so comes after a thorough consideration of your employment history and recent serious safety incident. In this regard, we are providing the following arrangement: Detour Gold had notified the Privacy Commissioner of Canada and affected employees after the earlier reports. They had also involved the Canadian Incident Response Center, and were reportedly working with several security advisors to resolve the issue. DataBreaches.net emailed Detour Gold yesterday to ask for a statement about the latest data dump and what appears to be ongoing access to their network. They were not aware of the paste or the data dump until this site notified them, and said they would have Human Resources confirm or deny the authenticity of the employee termination letter. As of the time of this publication, they reneged on their statement that they would confirm or deny the authenticity of the exposed termination letter and sent only the following statement: “We are reviewing the matter and taking appropriate actions.” DataBreaches.net has reached out to the employee whose termination letter was exposed to ask for his reaction and will update this post as more information becomes available, but it seems clear Detour Gold has an ongoing and very serious problem.
I had told Detour Gold to keep an eye out for future data dumps when I spoke with them weeks ago to notify them that they had been hacked, and I wasn’t surprised to receive an email last night from someone pointing me to a new data dump. The data dump includes personal information on employees as well as login credentials, corporate information and server information. As is this site’s policy, I’m not linking to the data dump because of the personal information involved. Of additional concern, the hackers claimed that they still have access: Detour Gold has still failed to protect its data and the data of its customers and employees, even after releasing a data dump of sensitive corporate material we still maintain access to Detour Gold’s computer network and all the data contained within. Much of the data dumped last night could have been part of the original hack, as I’m not really seeing anything dated after the last dump. DataBreaches.net sent a courtesy notification to Detour Gold’s IT Manager this morning to alert them, as the paste was still up when I checked. I just received a reply from him that they were already aware of the new data dump and were working to get it removed. He noted that “It’s pretty much the same data that was dumped before plus a few new pictures.” In response to my inquiry about the hackers’ claims that they still had full access, he replied, “We are monitoring our network perimeters with the monitoring tools we have and we don’t see any suspecious activities.” According to the IT Manager, Detour Gold had notified everyone whose personal information was exposed in the last data dump, and had notified the Privacy Commissioner, involved the Canadian Incident Response Center, and were also working with several security advisors to resolve the issue. So that’s where things stand right now. If the hackers have any proof that they still have access that they can send me, I’ll try to follow up.
It looks like Detour Gold Corporation (TSX: DGC) was massively hacked. In a paste by “Angel_of_Truth,” the hackers explain their motivation in both Russian and then English: This attack on a Canadian company is retribution for Canada’s sanctions on Russia, And the ongoing efforts to undermine Russia by the West. Below is some of the data that was stolen out of Detour Golds (DGC:TSX) computer network, Detour Golds entire computer network was under Russian control for over 2 years. We have decided to release some of the hacked data with more to come in the near future, todays post includes: Employee Data Radio Data Incident Reports & Gold Shipments Supervisors Personal Data These attacks will continue until Canada stops being a slave for the United States And yes, they dumped a lot of data, including disciplinary reports on named employees, medical complaints, and other personal information. Because personal data is involved, DataBreaches.net is not linking to the data dump or providing examples. DataBreaches.net attempted to contact Detour Gold to ensure that they are aware of the hack and that personal and corporate data have been exposed. After 20 minutes of not being able to reach anyone through their web site information for contacts and wondering whether their Media contact would even see my email before tomorrow, I finally smacked myself in the head and consulted the hacked data to get a name and phone number to call. So yes, if they didn’t know before, at least one executive now knows and will be forwarding an email with details to their IT security. Update: Their IT Security Department called me to tell me they received my message and are looking into it.
While a number of U.S. casinos have reported payment card breaches over the past four years, a new report from Mandiant indicates that some casinos in Canada appear to have been under attack from hackers who, after acquiring customer and corporate data, attempt to extort the casinos. Whether all of the Canadian casinos that have disclosed hacks have also received extortion demands is not clear, but over the past few years, this site has reported hacks involving Casino Rama, Grey Eagle, Cowboys Casino, and River Cree. Not one of them has publicly stated that they received an extortion demand, and Mandiant is not revealing nor confirming the identity of any victims. In addition to casinos, some Canadian mining companies have also been hacked and may also have received extortion demands. Although DataBreaches.net cannot be sure in all instances, this site has reported on hacks of Detour Gold, and GoldCorp that fit the pattern seen with the casinos. In GoldCorp’s case, the firm publicly acknowledged the hack and informed media that there had been an extortion demand. In at least one of the mining hacks and at least one of the casino hacks, DataBreaches.net was contacted via email by people to alert this site to the breach and pastes on sites such as Pastebin and JustPaste.it. In a short email interview, the hacker claimed that the motivation for the hack of the mining company was political and retaliatory, but as Mandiant’s report notes, the Russian-English in the paste was not particularly convincing, and their responses to me – just sending links to some news stories, did not seem particulary compelling. In a new report released today, Mandiant calls the threat actors “FIN10,” and notes that their activities are not confined just to Canada. Of note, their report states: Fireeye has observed multiple targeted intrusions occurring in North America — predominately in Canada — dating back to at least 2013 and continuing through at least 2016, in which the attacker(s) have compromised organizations’ networks and sought to monetize this illicit access by exfiltrating sensitive data and extorting victim organizations. In some cases, when the extortion demand was not met, the attacker(s) destroyed production Windows systems by deleting critical operating system files and then shutting down the impacted systems. Based on near parallel TTPs used by the attacker(s) across these targeted intrusions, we believe these clusters of activity are linked to a single, previously unobserved actor or group that we have dubbed FIN10. OK, “FIN10” doesn’t have a particularly sexy sound to it, and these threat actors do not seem to have settled upon one name that they are using/advertising as their “brand,” sometimes calling themselves “Angels_of_Truth” and at other times, “Tesla Team,” but their potential to do damage appears severe. The report outlines what appears to be their tactics, techniques and procedures. And like TheDarkOverlord, FIN10 uses the media and blogs like DataBreaches.net to increase public pressure on their victims, although they are more reticent in their use of media and response to media inquiries. As but one difference, TheDarkOverlord is very public about demanding extortion from named victims. I have yet to see FIN10 issue any public statement where they specifically acknowledged demanding extortion. FIN10 also allegedly gives their victims a much shorter deadline to comply with the extortion demands: 10 days until the first data dump, and then a second data dump after another 72 hours. Their attacks are a good reminder why corporations should either already have bitcoin on hand or at least know how to acquire it if they decide they need to pay an extortion demand at some point. You can read Mandiant’s full report on FIN10: Anatomy of a Cyber Extortion Operation.