Fraunhofer Institute hacked – criminals demand 2 million on the darkish net

“Whoever owns the information owns the world”: This quote from German-British banker Nathan Mayer Rothschild († 1836) is written on the homepage of the illegal Darknet platform “Industrial Spy”, where stolen data is offered for sale.

More than 300GB of internal and confidential data from a well-known research institution will be sold via an illegal website called “industrial espionage,” Watson’s research shows. There are more victims.

05/04/2022, 07:0105/05/2022, 08:45

Daniel Shorter
Daniel Shorter

Follow

Unknown people hacked into a famous German research institute and seized valuable digital documents. These are now being offered via a new underground marketplace called “Industrial Spy”.

affected Fraunhofer Institute for the Microstructure of Materials and Systems (IMWS), as shown by the research conducted by Watson. In fact, there have recently been increasing signs of industrial espionage online, IT security expert Matthias Fuchs said when asked.

What happened?

Unknown criminals want to sell more than 320 gigabytes of stolen data to an exclusive buyer on the dark web in an auction that will continue for another two days. For this they are asking a proud sum of 2.2 million US dollars.

Little is known about the content of the files allegedly stolen from the Fraunhofer Research Institute.  The purchase price is 2.2 million in bitcoin.

Little is known about the content of the files allegedly stolen from the Fraunhofer Research Institute. The purchase price is 2.2 million in bitcoin.Screenshot: watson

With a probability approaching certainty, these are the files that were stolen from the Fraunhofer Institute for the Microstructure of Materials and Systems (IMWS) during a hack attack in April.

The Darknet page on the illegal show, which Watson was able to see on Tuesday, says:

“Various technologies have been downloaded, as well as personal information about staff and students.”

Source: the dark web

The Industrial Espionage page also notes that the corresponding attack occurred on April 14.

How does Fraunhofer react?

Media spokesperson Roman Mollmann confirmed in a written statement Tuesday evening that the Fraunhofer Institute for the Microstructure of Materials and Systems (IMWS) in the eastern German city of Halle had “recently” become the target of a “limited cyber attack”.

“All on-site systems were immediately removed from the network and shut down as a precaution. Fraunhofer has already comprehensively responded to the incident and has taken precautions to limit damage as much as possible, and bring the situation under control. According to current knowledge, this is a local incident affecting only Fraunhofer IMWS.” .

Fraunhofer works closely with the responsible security authorities. According to the spokesperson, our research institutes will also contribute their specialized expertise. At the same time, the working capacity of the institute and all affected employees will be restored.

Who is responsible for the hacker attack?

This is unknown.

“We ask for your understanding that we can only comment on further background and facts – also for reasons of investigative tactics – when the incident is fully clarified.”

Roman Mullmann, Fraunhofer Society

So we don’t know if it was an attack by a traditional ransomware gang or a hacker group specializing in industrial espionage.

attractive target

The Fraunhofer-Gesellschaft is based in Germany and claims to be the world’s leading organization in applied research. On its website, it says the focus is on “key technologies relevant to the future and on harnessing results in business and industry”.

Founded in 1949, the organization currently operates 76 institutes and research facilities and employs more than 30,000 people, most of whom have a degree in science or engineering. The annual search volume is 2.9 billion euros.

What makes the “industrial spy” so dangerous?

The Darknet can be accessed via Tor anonymizer industrial espionage It was launched just a few weeks ago. In mid-April, the company “Bleeping Computer” reported a new market that wants to sell stolen data from hacked companies, and also offers registered members older stolen data for free.

The service providers initially try to sell the valuable data sets exclusively.  If that doesn't work, they offer the stolen files individually for download.

The service providers initially try to sell the valuable data sets exclusively. If that doesn’t work, they offer the stolen files individually for download.Photo: Watson

Anonymous supporters also run a Telegram channel to promote their Darknet platform and sell stolen data. The Twitter profile of the same name has already been blocked by Twitter.

The Telegram channel says about industrial espionage:

“There you can buy or download private and threatening data of your competitors for free. We publish blueprints, graphics, techniques, political and military secrets, accounting reports, and customer databases. »

Source: Telegram

The platform operators write frankly that they want to enable industrial espionage with their sites. Record buyers must be able to beat the competition.

“With our information, you can refuse to partner with unscrupulous partners, reveal dirty secrets to your competitors and enemies, and earn millions of dollars in inside information.”

It is not entirely clear how the operators of Industrial Spy obtained the stolen data. They claim to exploit weaknesses in the IT infrastructure of companies and multinational organizations.

According to a Bleeping Computer report at the time, it would come as no surprise that criminals would use the marketplace to force victims to buy back the stolen data. In other words, those affected must be under pressure because they fear that their valuable documents will fall into the hands of third parties. A similar approach by ransomware gangs is known as “double blackmail”.

Who is behind the “industrial spy”?

This is unknown.

A security researcher tweeted in late April that he received a response in Cyrillic on the dark web site when he (wrongly) filled out an online registration.

Apparently, the security researcher entered something inappropriate when logging in, at which point he received a message from the Cyrillic system that

Apparently, the security researcher entered something inappropriate when logging in, at which point he received a message from the Cyrillic system that the “login” could contain only numbers, letters and Latin symbols. Google Translate recognizes characters (above) as Russian. Screenshot: Twitter

BleepingComputer first learned from independent security researchers from the “MalwareHunterTeam” team that operators were trying to advertise their Darknet platform in an unusual way. Executable malware files were distributed via websites containing questionable software offerings (adware and cracker websites). When computer users opened the downloaded file on their device, a “README.txt” file was automatically generated which indicated Industrial Spy or advertised location. *

According to security researchers, this indicates that the operators of the “Industrial Spy” website are most likely working with adware and crack distributors.

Bleeping Computer reported that, for example, STOP ransomware was installed and trojans were stolen with industrial spyware.

* The same message can be found in the Telegram channel, which went live on April 15, 2022 (see above).

If you don't find

If after 7 days Data Packs do not find an exclusive buyer, they will be offered at a lower price – and will finally be available for free.Screenshot: watson

Coincidence? In an article published by swisscybersecurity.net on Monday, it was stated that IT security expert Matthias Fuchs It quoted a revealing sentence that “signs of industrial espionage” are now piling up.

When asked by Watson, the security researcher, who holds the title of “head of investigations and intelligence” at Swiss cybersecurity firm InfoGuard, he explained that increased activities by North Korean hackers have been recorded in recent months. It stresses that industrial espionage is generally more difficult to detect and combat than traditional ransomware attacks. This is because there is no encryption.

Fuchs also stresses that the North Koreans cannot be linked to the industrial espionage platform and that only specific actions regarding aggressive infiltration with ransomware groups will interfere.

“North Koreans have always wanted to make money outright,” the InfoGuard expert explains. Currently, hackers’ “marketing funnels” are probably more direct. “We don’t know who their customers are,” Fox says.

Who else is included in the “industrial spy”?

As mentioned earlier, the dark web market just launched a few weeks ago. The list of victims includes multinational companies and organizations from many countries in Europe, America and Asia. less:

  • KSB (Germany / France)
  • APSM Systems (USA)
  • Enviroplas (USA)
  • MEIJI Corporation (USA)
  • Avion Tech (Canada)
  • MDIndia Insurance (India)
  • Network Contacts (Italy)
  • IAR Systems (Sweden)
  • IN2 (UK)
  • Wenco (Chile)
  • etc.

Some of the affected companies whose files were sold individually on Industrial Spy were proven to be from previous ransomware attacks. For example, 200 GB from DiaSorin, the leader in the in vitro diagnostics market, which was published in 2021 via a “leak site” on the Darknet.

German pump and valve maker KSB also suspects a ransomware attack – the latest victim added to Industrial Spy on Tuesday.

Individual files are sold for $2.

Individual files are sold for $2.Screenshot: watson

Heise.de reported that the company was indeed the target of a cyber attack in a European country last year. The manufacturer successfully dealt with this incident. Now, however, the data loss appears to be significant: a total of 46GB of internal documents are offered for sale on the Darknet Market. In the first statements, the company announced that no customer data had been leaked.

The industrial spy is likely to grab more headlines. In the coming weeks, cybersecurity professionals will be keeping a close eye on the new victims.

Insider info?

Watson editor Daniel Schurter can also be accessed anonymously via the encrypted Swiss messaging app Threema. Its “Threema ID” is: ACYMFHZX. Or write to daniel.schurter [at] protonmail.com. If you sign up with the Swiss secure mail provider (for free), you can send encrypted emails.

sources

Leave a Comment