CTAG was attacked by the Sodinokibi ransomware in October

CTAG, Galician Automotive Technology Center, is one of the leading European research and development centers in the automotive world.

This technology center is located in Galicia, specifically in Porrio (Pontevedra). It offers test tracks for autonomous and connected driving, but its range of services is much broader. According to its website, its main objective is “to improve the competitiveness of automotive companies by incorporating new technologies and promoting development, research and technological innovation”.

CTAG was thus one of the members of the 5GCAR project launched in 2007 under the leadership of Ericsson, which included Bosch, Huawei, Nokia, Orange, PSA and Volvo Cars. In July 2019, the PSA Group announced that it would test the contribution of communication technologies to the development of automatic functions of vehicles in an urban environment with the CTAG. An experiment that is part of the European autopilot project that started in early 2017.

According to French media LeMagIT, an example of Sodinokibi ransomware has been discovered that appears to have attacked CTAG information systems.

The contacts between the cyber criminals and the victim will begin on November 6, 2020. Revil, the cybercriminal responsible for the Sodinokibi ransomware, initially demanded 300,000 US dollars. When there was no answer, the amount was doubled, whereupon the Galician group with “Do we really have to pay?” Answered. The next day, in order to pave the way for a possible trial, the attackers responded with an “offer and we will consider” the victim. At this point, the CTAG got up and did not attempt any further contact with Revil.

On the morning of December 18, when there was no response, the blackmailers responded with images depicting elements of the CTAG IT infrastructure, and even with documents relating to a Delphi part of a version being developed for Peugeot in 2018 has been.

The image below shows some of the information sent as evidence by cyber criminals. This image was posted on the Happy Blog (a dark web blog only Tor can access):

Cyber ​​criminals added the following message to the previous message: “We’re ready to listen to your offer and offer you a discount.”

In addition to this image, they contained a few more where you could see their machines, systems, and IPs listed. And not only that, they also attached a table of users with their full first and last name, indicating whether the user is active in the system or not, whether or not they can change the password, etc.

According to the search engine “Onyphe”, CTAG suspended remote access systems that had been affected by security flaws on the Internet that could be exploited by attackers by mid-October: a Fortinet that is affected by CVE-2018-13379 and Cisco ASA CVE-2020 -2021. Using these vectors would be the Revil group’s operating method to materialize this attack.

Source: Legamit

Copyright © Grupo Edefa SA Reproduction, in whole or in part, of this article is prohibited without the prior authorization of the publisher.

Back to top button