The ALPHV/BlackCat ransomware gang claims it has accessed a trove of sensitive data, such as the ways tech giants deal with information requests from special services and the credentials of special agents. Casepoint says the incident was “limited in scope.”
Attackers suggest that a recent breach of the legal technology platform Casepoint gave them access to 2TB of sensitive information, including the ways that law enforcement interacts with tech companies like Google and Facebook’s parent company, Meta.
In late May, the Russia-linked ALPHV/BlackCat ransomware cartel allegedly breached Casepoint, which is used by the United States Courts, the Security Exchanges Commission (SEC), and the Department of Defense (DoD). At the time, the company told Cybernews that it was investigating a “potential incident.”
“In this post we will tell you how intelligence services get information from Google and Meta,” a message on BlackCat/ALPHV leak site, used to showcase its latest victims, said.
The attackers also mentioned they had access to the inner workings of products from Cellebrite, an Israel-based company specializing in digital forensics. Law enforcement agencies use Cellebrite’s tools, such as Universal Forensics Extraction Device (UFED), to extract data from mobile devices.
What is Casepoint saying?
Meanwhile, Casepoint downplayed the incident saying it was limited in scope and affected only a small number of the company’s customers.
“Based on our investigation to date, we believe this incident was limited in scope and originated only from a transitory staging area used for a small subset of our customers,” Casepoint’s spokesperson told Cybernews.
The company also alluded to an ongoing incident investigation, suggesting that the cyberattack did not impact the network’s government agencies.
“We are confident – and the investigation by our forensic partners to date supports – that this issue did not affect the portion of our network that services our Department of Defense customers, FedRamp systems or our other core systems,” the spokesperson said.
Casepont also assured that the company does not “ingest classified information” from its clients. The company also stressed that the incident did not cause downtime, no encrypted data, and there was no operational disruption.
“We regret that this happened, but know that these are common occurrences in today’s business environment,” the company said.
“We are confident [...] that this issue did not affect the portion of our network that services our Department of Defense customers, FedRamp systems or our other core systems.”Casepoint’s spokesperson said.
What is Operation Blooming Onion?
The cybercriminals insist that they’ve accessed data about Operation Blooming Onion, a human trafficking investigation led by several US law enforcement agencies that revealed how agricultural organizations smuggle foreign workers to the US.
ALPHV/BlackCat claims they sifted through stolen data and discovered encrypted hard drives used by employees.
“However, the secure device was not being used securely, and Casepoint employees could leave the decrypted drive on a computer for days or even weeks,” they said.
The gang supposedly got their hands on extremely sensitive data, such as names of special agents and supervisors, together with photos of transactions related to Operation Blooming Onion.
We reached out to Casepoint to confirm if the company’s employees ever used encrypted hard drives for data transfers but did not receive a reply before publishing.
Casepoint is a popular legal technology firm used by legal departments, law firms, and public agencies to navigate through data. Users upload documents to Casepoint’s cloud database, where the input is processed for smoother analysis.
The company boasts many high-profile clients such as the US National Credit Union Administration (NCUA), hotel operator Marriott, German industrial giant ThyssenKrupp, academic medical center Mayo Clinic, railway operator BNSF Railway, and others.
What is ALPHV/BlackCat ransomware?
ALPHV/BlackCat ransomware was first observed in 2021. Like many others in the criminal underworld, the group operates a ransomware-as-a-service (RaaS) business, selling malware subscriptions to criminals. The gang was noted for its use of the Rust programming language.
The FBI believes that money launderers for the ALPHV/BlackCat cartel are linked to Darkside and Blackmatter ransomware cartels, indicating that the group has a well-established network of operatives in the RaaS business.
Lately, ALPHV/BlackCat has been among the most active ransomware gangs. According to cybersecurity analyst ANOZR WAY, the group was responsible for approximately 12% of all attacks in 2022.
The gang seems to be focused on professional service providers recently. In mid-May, the gang said it had breached Mazars Group, an international audit, accounting, and consulting firm.
Updated [on June 12, 07:10 AM GMT] with a statement from Casepont.
More from Cybernews:
Subscribe to our newsletter