A ransomware attack with ties to North Korea took down cloud hosting provider Data Resolution’s systems on Christmas Eve. The California-based company provides software hosting, cloud computing, and data center services for about 30,000 businesses worldwide.
First reported by KrebsOnSecurity, the attackers used a compromised login account to infect servers with Ryuk ransomware. In August, Check Point threat researchers linked Ryuk to the North Korean Lazarus Group, also known as Hidden Cobra. This is the state-sponsored group believed to be behind the WannaCry attack in 2017. And over the weekend, Ryuk malware infected the Los Angeles Times’ Olympic printing plant in downtown Los Angeles. This attack delayed that newspaper’s Saturday editions as well as the West Coast editions of the Wall Street Journal and New York Times, which are also printed at that plant.
Data Resolution did not immediately respond to a request for comment.
According to security researcher Brian Krebs, the attack gave hackers control of Data Resolution’s data center domain, locking the company out of its own systems and forcing it to shut down its network. A Jan. 2 status update shared with customers said the cloud hosting provider is still working to restore email access and multiple databases for clients and is in the process of restoring service for companies that use it to host Microsoft Dynamics GP, a popular accounting and payroll software.
Data Resolution reportedly told customers that no data was stolen. But as Krebs writes in a comment below the article: “I can’t even see how they could say yet with confidence that data wasn’t taken when they’re still focused on restoring service.”
In May, the FBI blamed the same North Korean group for two other malware families targeting U.S. media, aerospace, financial, and critical infrastructure sectors’ networks.
In a joint alert posted May 29, 2018, the FBI and U.S. Department of Homeland Security warned that Hidden Cobra was behind both Joanap and Brambul malware. These attacks have hit U.S. and global networks since 2009. The agencies said North Korea has been using Joanap and Brambul over the past nine years to steal and delete information and remotely control networks.