The Maryland Department of Transportation (MDOT), which operates one of the largest ports in the USA, was breached by a Russia-linked hacking group, with attackers posting personal data as proof.
MDOT was uploaded to the Rhysida ransomware gang’s dark web blog, which it uses to showcase and threaten its victims. The post supposedly includes screenshots of the stolen data, including what appears to be passports, IDs, background checks, and other information.
The attackers are demanding 30 bitcoin, which amounts to $3.3 million, to unlock the stolen data. Meanwhile, MDOT acknowledged dealing with a cyberattack via an incident notice on its website.
MDOT is a major organization that oversees the Maryland Transportation Authority, Maryland Transit Administration, Maryland Port Administration, State Highway Administration, Maryland Motor Vehicle Administration, and Maryland Aviation Administration.Attackers'
What data did the attack expose?
Contrary to the attackers’ claims, MDOT says the attack only impacted “certain Maryland Transit Administration systems.” The Transit Administration operates a massive transportation system covering the Washington-Baltimore area, with over 67 million yearly commuters.
Meanwhile, MDOT claims it is investigating the attack together with law enforcement agencies and third-party cybersecurity experts.
“The investigation has, at this point, confirmed incident-related data loss,” reads the MDOT’s message.
According to the note, MTA’s core services are operating normally, with some buses not providing real-time data. However, it’s unclear if MDOT is referring to the alleged Rhysida attack in this case.
“The investigation has, at this point, confirmed incident-related data loss,”
reads the MDOT’s message.
We’ve reached out to MDOT for clarification and will update the article once we receive a reply.
Meanwhile, the Cybernews research team has investigated the attackers’ dark web post, concluding that the supposedly stolen data reveals identification documents, Social Security cards, and criminal background checks.
“Additionally, the samples include internal documents, mainly focusing on financial reports and budgeting – these documents are unlikely to contain any private information, as MDOT is already transparent about its budget and spending,” our researchers explained.
The team believes that the attack likely affected employee data, which could expose the exposed individuals to identity theft and social security fraud.
Who are the Rhysida ransomware gang?
The Russia-linked cybercartel has been operating since early 2023, making it a veteran operator among the ever-changing mix of ransomware cartels. Since its beginning, the gang has reportedly victimized over 220 organizations.
Security researchers at Barracuda noted that the group appears to be either from Russia or a country in the Commonwealth of Independent States (CIS), which includes former Soviet Union nations like Belarus, Kazakhstan, and others.
The Vice Society ransomware group has been linked to Rhysida through similar tactics, techniques, and procedures (TTPs) and by using Rhysida's ransomware as an affiliate, purportedly splitting a portion of its earnings with the gang.
In fall 2024, Rhysida also made headlines targeting the Seattle-Tacoma International Airport with a 100 BTC ransom demand after an attack that caused a weeks-long systemwide outage at the busy West Coast hub.
Other notable Rhysida victims include The Washington Times, the UK’s national British Library, the Anne & Robert H. Lurie Children’s Hospital in Chicago, and the Prospect Medical Group network of US hospitals and healthcare facilities.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked