October 28, 2020

In March 2020, KrebsOnSecurity alerted Swedish security giant Gunnebo Group that hackers had broken into its network and sold the access to a criminal group which specializes in deploying ransomware. In August, Gunnebo said it had successfully thwarted a ransomware attack, but this week it emerged that the intruders stole and published online tens of thousands of sensitive documents — including schematics of client bank vaults and surveillance systems.

The Gunnebo Group is a Swedish multinational company that provides physical security to a variety of customers globally, including banks, government agencies, airports, casinos, jewelry stores, tax agencies and even nuclear power plants. The company has operations in 25 countries, more than 4,000 employees, and billions in revenue annually.

Acting on a tip from Milwaukee, Wis.-based cyber intelligence firm Hold Security, KrebsOnSecurity in March told Gunnebo about a financial transaction between a malicious hacker and a cybercriminal group which specializes in deploying ransomware. That transaction included credentials to a Remote Desktop Protocol (RDP) account apparently set up by a Gunnebo Group employee who wished to access the company’s internal network remotely.

Five months later, Gunnebo disclosed it had suffered a cyber attack targeting its IT systems that forced the shutdown of internal servers. Nevertheless, the company said its quick reaction prevented the intruders from spreading the ransomware throughout its systems, and that the overall lasting impact from the incident was minimal.

Earlier this week, Swedish news agency Dagens Nyheter confirmed that hackers recently published online at least 38,000 documents stolen from Gunnebo’s network. Linus Larsson, the journalist who broke the story, says the hacked material was uploaded to a public server during the second half of September, and it is not known how many people may have gained access to it.

Larsson quotes Gunnebo CEO Stefan Syrén saying the company never considered paying the ransom the attackers demanded in exchange for not publishing its internal documents. What’s more, Syrén seemed to downplay the severity of the exposure.

“I understand that you can see drawings as sensitive, but we do not consider them as sensitive automatically,” the CEO reportedly said. “When it comes to cameras in a public environment, for example, half the point is that they should be visible, therefore a drawing with camera placements in itself is not very sensitive.”

It remains unclear whether the stolen RDP credentials were a factor in this incident. But the password to the Gunnebo RDP account — “password01” — suggests the security of its IT systems may have been lacking in other areas as well.

After this author posted a request for contact from Gunnebo on Twitter, KrebsOnSecurity heard from Rasmus Jansson, an account manager at Gunnebo who specializes in protecting client systems from electromagnetic pulse (EMP) attacks or disruption, short bursts of energy that can damage electrical equipment.

Jansson said he relayed the stolen credentials to the company’s IT specialists, but that he does not know what actions the company took in response. Reached by phone today, Jansson said he quit the company in August, right around the time Gunnebo disclosed the thwarted ransomware attack. He declined to comment on the particulars of the extortion incident.

Ransomware attackers often spend weeks or months inside of a target’s network before attempting to deploy malware across the network that encrypts servers and desktop systems unless and until a ransom demand is met.

That’s because gaining the initial foothold is rarely the difficult part of the attack. In fact, many ransomware groups now have such an embarrassment of riches in this regard that they’ve taken to hiring external penetration testers to carry out the grunt work of escalating that initial foothold into complete control over the victim’s network and any data backup systems  — a process that can be hugely time consuming.

But prior to launching their ransomware, it has become common practice for these extortionists to offload as much sensitive and proprietary data as possible. In some cases, this allows the intruders to profit even if their malware somehow fails to do its job. In other instances, victims are asked to pay two extortion demands: One for a digital key to unlock encrypted systems, and another in exchange for a promise not to publish, auction or otherwise trade any stolen data.

While it may seem ironic when a physical security firm ends up having all of its secrets published online, the reality is that some of the biggest targets of ransomware groups continue to be companies which may not consider cybersecurity or information systems as their primary concern or business — regardless of how much may be riding on that technology.

Indeed, companies that persist in viewing cyber and physical security as somehow separate seem to be among the favorite targets of ransomware actors. Last week, a Russian journalist published a video on Youtube claiming to be an interview with the cybercriminals behind the REvil/Sodinokibi ransomware strain, which is the handiwork of a particularly aggressive criminal group that’s been behind some of the biggest and most costly ransom attacks in recent years.

In the video, the REvil representative stated that the most desirable targets for the group were agriculture companies, manufacturers, insurance firms, and law firms. The REvil actor claimed that on average roughly one in three of its victims agrees to pay an extortion fee.

Mark Arena, CEO of cybersecurity threat intelligence firm Intel 471, said while it might be tempting to believe that firms which specialize in information security typically have better cybersecurity practices than physical security firms, few organizations have a deep understanding of their adversaries. Intel 471 has published an analysis of the video here.

Arena said this is a particularly acute shortcoming with many managed service providers (MSPs), companies that provide outsourced security services to hundreds or thousands of clients who might not otherwise be able to afford to hire cybersecurity professionals.

“The harsh and unfortunate reality is the security of a number of security companies is shit,” Arena said. “Most companies tend to have a lack of ongoing and up to date understanding of the threat actors they face.”

26 thoughts on “Security Blueprints of Many Companies Leaked in Hack of Swedish Firm Gunnebo

  1. LunaticFringe

    At least the stolen schematics didn’t contain any nuclear power pl….oh wait…nm

  2. JCitizen

    Man! That is getting bad when you tell a company they’re hacked and they don’t even seem to listen, and even worse when they are a security related firm! I guess it is going to take slapping them around to wake them up! Unless I am misunderstanding the second paragraph in Brian’s article, that is!

  3. Henry Winokur

    The problem is that these days it doesn’t even surprise when a “security” company can’t even protect its own stuff. I wonder where their servers were located and who was managing them???

    I’ll be that no one loses their job(s). 🙁

    All that can be said, I guess, is “again?”.

  4. Yuri

    Proves the same point over and over again – humans are the weakest link. So it has been, and so it will be. Trying to secure this vulnerability is such a lost battle, alas.

  5. Gary

    Using RDP is bad enough. RDP and a weak password is criminally inept.

    1. Bruce

      My first thought was, wait a minute! Who allows RDP access to the internal network and who allows the use of a password that weak! I chuckled at you comment because it’s true.

  6. Joe Foos

    Crazy to think some IT person could get away with setting up an RDP server connection with a horrible password.
    If the company had simply established some basic Active Directory best practice standards to prevent this kind of criminal negligence, the whole thing would have been prevented. Why don’t more companies recognize they can protect themselves from their own people’s bad decisions by creating policies to prevent accidental or uneducated security breach mistakes ?
    We wrote a bog post about some basic AD best practice security standards we recommend, in case it helps :

    1. JCitizen

      Exactly Joe! I’ve been saying that on KOS for at least a couple of years. Even if they don’t have an IT team that knows anything about MCSE, they could buy the configurations for AD and the MMC from the company that took over CryptoPrevent. For anyone that wants to know, you can pick up on the history of this product on bleepingcomputer. When I was testing it with malware in my lab, I never found an attack package that could defeat the protection settings!! The last time I checked the price was very reasonable, and way cheaper than hiring a Microsoft Certified Software Engineer!

    2. Rob Lee

      Interesting cheat sheet, I would add utilising the Protected Users Security Group often overlooked as it “breaks” things but there’s a reason good security breaks things 🙂


  7. DelilahTheSober

    “But the password to the Gunnebo RDP account — “password01” — suggests the security of its IT systems may have been lacking in other areas as well”

    Seriously? I can’t create an account anywhere online and use a password that short and stupid. Most of my passwords contain vulgar and highly offensive language because I get so annoyed having to repeatedly choose a password that meets that system’s basic standards.

    I’m not sure if this policy comes directly from Microsoft, or if it’s an institutional-based policy, but at least once a week, if I want to look at my university email account inside Outlook, I have to accept a security passcode via text message before I can log into my account. If a tiny university that nobody in the world has ever heard of can figure this out, I just don’t understand why the head of security for a billion-dollar corporation couldn’t do a better job managing their own company’s security.

  8. Nobby Nobbs

    Should have listened!

    (How many IT issues fall into this category?)

    It should be said, though, that it is true a properly designed bank vault won’t have its security weakened by having its blueprints disclosed.*

    *c.f. LockpickingLawyer on youtube.

  9. Dennis

    Hey, at least the admin didn’t set up the monkey123 password, right?

  10. Brandon Thompson

    Next password. They’ll never get it.

  11. silly

    the data what you can really do with this data of this company???
    nothign really its worthed zero im surprised they even payed for ransome like old times there was cards info stolen this you can do at least something ordering online goods and shopping…but some random pointless company data..?? cmon?? its worthless
    its silly story here why the hackers even bother with this pointless nonsense activities if there tons of better ways making money if you are hacker you can do a lot things to make good money without some pointless risks ja bs
    if you are good with computers..you can create website and do affilate business no risk no stress now they have to look their shoulders when fbi or cia knocking their doors lol:D

    i really dont undestood how the world is so silly and chilish right now

  12. Dennis

    Does anyone know what was the major game developer that got compromised with REvil ransomware that that scumbag mentioned in the interview in Russian?

    1. We'll see

      I believe I read somewhere it was Ubi but it’s not widely public.

  13. bastard

    Let me be curious, where is the original leak proofs?

  14. Brooklynz

    3 Bank “Safe Boxes” in Austria got hacked with the leaked informations the past weeks – nobody takes serious actions bcs its not really clear how the operated.

  15. Reynold Robert

    Fascinating cheat sheet, I would add using the Protected Users Security Group regularly disregarded as it “breaks” things yet there’s an explanation decent security breaks things

Comments are closed.