The IT Nerd

Fortinet has just disclosed that it has suffered a data breach after a threat actor gained unauthorized access to a third-party it used.

Initially, the data breach at Fortinet was detected on a hacking forum, with the threat actor claiming that their Azure SharePoint was leaked, with 440 GB of data. This is part of what the company said:

An individual gained unauthorized access to a limited number of files stored on Fortinet’s instance of a third-party cloud-based shared file drive, which included limited data related to a small number (less than 0.3%) of Fortinet customers.

Evan Dornbush, former NSA cybersecurity expert had this to say:

Modern business IT ecosystems are complex, relying on external providers and a hodgepodge of “shared responsibility” agreements as pertains to security. So long as the data is valuable, attackers will take interest.

This could become an interesting 8-k as the breach is Fortinet’s material event (as defined by the SEC) even if the customer data was stored on a third-party platform. As of the time of this writing how the access occurred has not been disclosed (at least I haven’t been able to find it).

Ted Miracco, CEO, Approov follows with this:

  “Data centers are now as vital as power plants—meaning tighter security, more government oversight, and faster responses to cyber threats. Expect more scrutiny, but also more investment in the sector. This recognition highlights the critical role that data centers play in supporting the healthcare, finance, and broader public services sectors of the economy, particularly in light of growing cyber threats and the increasing reliance on digital infrastructure.

  “Though good for security and investment, this could hamper innovation with over-regulation. It’s a necessary step, but bureaucratic hurdles could be an issue. Given that data centers house sensitive information, such as NHS patient records and financial data, their inclusion in CNI status means they will receive prioritized access to security resources like the National Cyber Security Centre (NCSC). This added layer of oversight and support can improve incident response, reduce downtime, and protect critical data during outages or attacks.

  “The move should improve overall resilience against attacks, but unless the private sector steps up on security innovation, it may not stop the next big breach. Cybersecurity vendors, especially those providing robust API and cloud security solutions may see this development as an opportunity to expand into the CNI-protected sectors by offering more advanced security services tailored for data centers.”

Finally Stephen Gates, Principal Security SME, Horizon3.ai:

  “As someone deeply motivated by security, I see this as a crucial step in safeguarding citizens, public and private sector organizations, and the nation as a whole. Today’s critical infrastructures—such as energy, water, and emergency services, and so on—already rely heavily on the continuous operation of the nation’s data centres.

  “With these data centres now being classified similar to other critical infrastructure, they will likely be subject to the same regulations and directives designed to protect private data, ensure operational uptime, and demonstrate cyber resilience. Additionally, the need for continuous cyber risk assessments of these environments will be imperative to identifying cyber risks, mitigating emerging threats, and ensuring that these centres remain resilient against evolving cyberattacks.”

Clearly Fortinet are trying to minimize the scope of this as 440 GB doesn’t sound like a “limited number of files” to me. That likely means that this is pretty bad. And when the details finally appear, we won’t like the scope of this hack at all.

On Thursday, ransomware gang Hunters International claimed to have stolen more than 5.2 million files from the London branch of the Industrial and Commercial Bank of China (ICBC).

The threat actors allegedly swiped 6.6 TB of the bank’s data after hacking their network, and threatened to publish all of it unless ICBC pays up by September 13^th. Which was yesterday.

ICBC is the world’s largest bank by assets, and, almost a year ago, the US arm of ICBC was hit by ransomware that disrupted trading in the US treasury markets. LockBit told Reuters that the bank paid the ransom after that attack.

Comparitech researchers logged 127 ransomware attacks claimed by Hunters so far in 2024, but these haven’t been acknowledged by the targets.

I have two comments on this. Starting with Evan Dornbush, former NSA cybersecurity expert:

“Is there a more cost-effective way to fight ransomware?

  “This is a timely reminder that organizations should continually question the effectiveness of their cybersecurity measures lest they too be caught in a vicious cycle of reactive spending while failing to address the root causes of these attacks.

  “Simply throwing money at security solutions isn’t enough. This may be an ideal time for the industry to consider a shift in focus towards disrupting the economic model of ransomware attackers rather than dealing with the effects of their crimes.”

Next up is Ted Miracco, CEO, Approov:

Privacy, security and possible culprit behind the attack:

• Privacy – Financial institutions are custodians of highly sensitive data, and a breach of this magnitude could result in heavy fines and penalties, as well as lawsuits from affected customers and businesses. If Hunters publishes ICBC’s data, it will lead to severe legal and compliance breaches, especially in regions with stringent financial and data privacy regulations, such as the EU’s GDPR or the UK’s Data Protection Act.
• Security – The attack by Hunters underscores the prevalence of ransomware-as-a-service (RaaS), where groups like this operate with increasing efficiency. The involvement of RaaS models lowers the bar for cybercriminals, enabling them to outsource sophisticated ransomware attacks and focus on large, lucrative targets such as banks. A key part of protecting financial data involves strengthening the security of mobile applications and APIs, which are often targeted as points of entry for ransomware attacks. However, organizations have demonstrated their capability to compromise even large and presumably secure institutions like ICBC, because API security vulnerabilities remain largely unaddressed.
• Culprit? – The fact that Hunters does not target Russian organizations suggests a potential association with Russia’s safe harbor policy for cybercriminals operating within its borders. This geopolitical dynamic is common with ransomware gangs, especially those with links to Russia, which often avoid targeting domestic organizations to stay under government protection. Ransomware attacks focused on extortion for financial gain, are a hallmark of many Russia-based cybercrime.”

ICBC has paid ransoms before. And my feeling is that they will pay up this time around. That’s unfortunate as I believe that organizations should not pay ransoms under any circumstances because that only encourages threat actors to launch more attacks. Besides, that money would likely be better spent ensuring that they do not pwned in the first place.