Ca: Durham Region hit by cyberattack
Durham Radio News reports:
Durham Region has been hit by a recent cyberattack and experts are working to figure out what information may have been compromised.
That’s according to a statement from the region, which can be read below.
They say the vulnerability has since been addressed and the regional systems have been secured. There’s no word on what specifically led up to the attack.
Read more on Durham Radio News for their statement, which, unhelpfully, does not explain what happened. Nor does it name the third-party softwre provider responsible for the breach.
There is a strong likelihood that the breach is related to the threat actors known as CLOP, who have dumped 6.5 GB of files on their leak site this week that they claim come from Durham.ca. With CLOP, however, it’s not always clear whether they are the attackers or if they are just listing attacks by partners or affiliates. Nor does their site specifically tag which victims were part of a large Accellion breach in December and January that is first being discovered and disclosed by some Accellion clients, so it is not clear whether Accellion is the software provider being referred to (but it is possible).
DataBreaches.net has not completed acquiring the dumped data, but notes that one thing that may spare some people from wider dissemination of their data is that CLOP’s downloads are painfully slow. That said, anyone in the Durham region should be prepared to receive messages threatening to disclose their data if they do not pay the attackers some extortion amount. Most experts and law enforcement recommend against paying any extortion demand.
People in the Durham region should also be on guard against phishing attempts that use information the attackers acquired in the hack. The phishing attempts are often quite realistic and targeted to the person using specific information that makes them seem credible. If you get any request for your information or someone else’s information, do not provide it — and do not even email or call any number given in an email request. Start from the beginning and look up the real phone number or email address of the person who is supposedly contacting you, and then reach out via that phone number to ask whether the email you received was from them.
Update: So after looking at the 6.5 GB of files that CLOP have dumped so far for Durham, it appears that yes, this was from the Accellion breach. The directory shows foldernames with email addresses, which is what we see for those using Accellion’s standalone server for their file transfer service. The date of January 21 is also consistent when CLOP was albe to exploit one of four vulnerabilities in Accellion’s software that they found.
As to the files themselves: without going into detail, there appears to be a lot of child-related and student-related fiels that have fallen into the hands of criminals. Hopefully Durham will make a full disclosure and notify those whose PII or PSI has been acquired.