Coca-Cola, the world’s largest soft-drink maker, said it is investigating claims of a breach and theft of 161 GB of data from its systems by a hacker group calling itself Stormous. The group has a history of making unsubstantiated claims, recently declared support for Russia, and previously threatened to disrupt “western unions.â€
Coca-Cola acknowledged the recent cyber incident on its systems and said it is investigating the Stormous ransomware gang’s claims. As per the screenshots of the ransomware group’s Telegram channel, it stole 161 GB of data from the American beverage maker.
The ransomware gang posted a similar message on its data leak site and demanded 1.65 bitcoins (~$64,000), a surprisingly low amount for the size of the data and especially considering the average ransom demand in 2021 was $2.2 millionOpens a new window . The stolen data includes documents and text files containing financial data, emails, passwords, commercial accounts, etc., all of which are on sale.
Stolen Coca-Cola Data by Stormous | Source: CISO AdvisorOpens a new window
The attack on Coca-Cola came a week after the gang conducted a poll to decide on its next victim. Coca-Cola received the highest number of votes among the contenders that included Mattel (toy manufacturing), Danaher (biotech, healthcare manufacturing), Blackboard (ed tech), and GE Aviation (aviation).
Stormous Poll
Following the poll, Stormous posted the following on their Telegram channel:
“Since it was a vote on giant beverage company ( Coca-Cola ) ! we hacked some of their servers and went over (161G) ! But the situation is not always as we want to sell it by any other ways we have opened our store on our own website in the dark web ! This company was the first victim. Browse a little on our site If you want to buy you can contact us and we will provide you some required data as initial proof! Then you can pay or buy depending on the amount of data you want ! Warning : It will only be a way to sell data to some big companies but for other companies we will leak their data like we always did !! Browse our site ! : http://XXXXXXXXXXXXXXXXXXXXXXXX.onion/datashop.html.â€
This is inconsistent with run-of-the-mill ransomware operations and leans more toward cyber extortion. Neither Coca-Cola nor Stormous mentioned that ransomware was deployed to encrypt the stolen data.
See More: Lapsus$ Ringleader Breached T-Mobile’s Systems Ahead of Betrayal by Fellow Hackers
Alon Schwartz, a security researcher at Logpoint Global Services, told Toolbox, “The Stormous group are relatively new to the scene and much of the previous activity shared has been small scale targets on universities and schools in India for example, and more recently, they have been seen to be claiming and recycling old breaches carried out by other ransomware groups.â€
Previously, Stormous claimed that it stole 200 GB of data from Epic Games and the information of 33 million of its users. However, the legitimacy of these claims remains questionable.
Stormous made a similar claim about the Ministry of Foreign Affairs of Ukraine. It said it hacked the ministry’s database and stole sensitive information such as phone numbers, emails, passwords, and card numbers. SOC Radar confirmed that this data was already circulating on the dark web for a long time and freely shared.
“Attacks by the Stormous ransomware group are also called ‘scavenger operations’ in cybersecurity,†explained digital risk protection company SOCRadarOpens a new window . “These operations are carried out by targeting companies whose data was leaked by another threat actor before. However, the general opinion about Stormous is that it is a scam.â€
Cybersecurity company ZeroFoxOpens a new window also dismissed cyberattack claims made by Stormous going back to July 2021 as unverified.
Additionally, Schwartz expressed doubt about whether Stormous carried out the attack. He said, “Based on the timing of the poll and the declaration of when the breach occurred, I would say that it’s unlikely they were able to carry out a breach of this scale in such a short period of time. I wouldn’t be surprised if all of the companies listed on the initial poll hadn’t been breached already, in which case, the Stormous group could slowly trickle out this information over the coming months.â€
Meanwhile, Coca-Cola’s Global VP for external and financial communications, Scott Leith, stated, “We are aware of this matter and are investigating to determine the validity of the claim.â€
All five contenders in Stormous’ poll were American companies, which is consistent with the group’s claim that it primarily targets western companies. In March this year, Stormous posted a messageOpens a new window confirming it was “being attacked by some cyber security companies in the U.S.†and that it would “do our best to disrupt the various western unions.â€
Now, Coca-Cola being targeted doesn’t make sense, given it doesn’t operate in a critical sector. But the company did pull out of Russia and suspended all sales and operations in March following consumer pressure. On the other hand, Stormous has publicly declared support for Russia in the ongoing conflict in Ukraine.
“The Stromous team has officially announced its support for the Russian governments. And if any party in different parts of the world decides to organize a cyber attack or cyberattacks against Russia, we will be in the right direction, will make all our efforts to abandon the supplication of the West, especially the infrastructure,†the group posted in March.
The post continues, “Perhaps the hacking operation that our team carried out for the government of Ukraine and a Ukrainian airline was just a simple operation, but what is coming will be bigger.†The message was also posted in Arabic, which is odd because the members speak Russian.
Around the same time, researchers at SOCRadar believe this may be a ploy by the group who “may be trying to create an agenda to make its name known and may want to consolidate its reputation with actual attacks later on.â€
Whether Coca-Cola was actually breached and robbed of hundreds of gigabytes of data or if this is just another scavenger operation by Stormous remains to be seen. The fact that the group has set the asking price for 161 GB of data at just over $64,000 points to the latter.
“All of the companies listed will no doubt be investigating this as we speak, and the Coca-Cola breach, whether genuine or not, is a warning to organizations to ensure they have continued visibility into their infrastructure, with real time monitoring and automation to see who is interacting with their data and detect and respond optimally to cyber events,†Schwartz concluded.
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!