Hacker gang claims raid on Japanese grocery store chain
A prolific Russia-linked ransomware gang has allegedly struck again. This time, it is claiming the Japanese supermarket chain Super Value Co. and leaking employee and financial data on the dark web.
Qilin, the Russia-related cybercriminal gang behind the alleged ransomware attack, has listed Japan-based retailer Super Value Co. as a victim on its leak site on the dark web.
Super Value Co. operates a network of hybrid retail complexes that combine supermarkets and home centers, as well as standalone food supermarkets, primarily in Saitama Prefecture and the Greater Tokyo area.
On its leak site, the gang provided data samples of stolen data allegedly belonging to the victim. This is a common technique used in ransomware attacks, when threat actors post data samples as a warning to companies to pay ransom.
Among the data samples shared by the attackers are various internal documents in Japanese loaded with sensitive data, such as:
- HR documents
- Documents proving the transfer of security keys
- Performance reports
- Workplace accident report forms
- Cash loss incident report forms
- Payroll documents
- Financial reports, including a monthly store sales, profit, and loss status
- Logs of sales, product orders, and delivery notes
HR documents allegedly exposed the company’s employees’ personal and employment data, including:
- Employee ID numbers
- Full names
- Full home addresses
- Date of birth
- Age
- Sex
- Hire date
- Employment category (e.g., full-time/part-time)
- Job title/role
- Department/sales area or work location
- Status and termination/retirement dates (for some rows)
- Phone number
- Job incidents data
- Wages
- Work schedule
It remains unclear whether the claims are legitimate and actually belong to the Japanese retailer. Cybernews has contacted the company, but a response has not yet been received.
If the data proves to be legitimate, it could put the company and its employees at risk of fraud and identity theft.
“As for the company, these samples mainly reveal its operational details, which could expose business strategies to competitors,” Cybernews researchers said. “Also, as there was no contact information of employees themselves, social engineering attacks may not be targeted at the individuals, but more likely at the company,” our researchers added.
What is Qilin ransomware?
Qilin is a big name in the ransomware landscape. With links to Russia, the gang has been known to target hospitals and the manufacturing sector. The Qilin gang first appeared on the ransomware circuit in 2022, but its dark leak site claims it began operating in 2021.
With more than 88 victims listed since just the beginning of September, Qilin has moved into the number one position as the most active ransomware gang in the past 12 months.
According to Cybernews' in-house surveillance tool, Ransomlooker, the gang has listed 947 victims since 2023.
The group just this month claimed to have breached Texas electric power cooperatives – San Bernard Electric and Karnes Electric – exposing sensitive financial documents. Just this week, Qilin claimed to have exfiltrated data from the large US pharmacy benefit manager, MedImpact.
The gang also claimed an attack on Volkswagen Group France, with the gang claiming to have exfiltrated about 2,000 files and 150GB of data consisting of sensitive client, employee, and business information.
Previously, Qilin was said to be behind a cyberattack on Asahi Holdings, Japan’s largest brewer. The attack disrupted operations and caused a shortage of the country’s most popular beers, soft drinks, and cold teas.
In August, Nissan’s Creative Box design studio in Tokyo was attacked by the group, which claimed it had stolen 4TB of sensitive design data. The Japanese automaker giant has now confirmed a breach of its network in a public statement.
The gang also claims to be behind a breach of the California Golf Club of San Francisco, considered one of the nation’s most exclusive members-only golf clubs, and a favorite of Silicon Valley execs. The gang allegedly stole 10GB of its members' data.
The gang is also behind the infamous attack on NHS partner Synnovis Laboratories. The attack had devastating consequences, as hospitals were immediately forced to divert patients to other facilities and cancel over 10,000 appointments, elective procedures, and surgical operations, including all transplant surgeries, due to a lack of blood transfusions.
Recently, the notorious Russia-linked gang LockBit formed a coalition with DragonForce and Qilin ransomware. Experts believe that the alliance between LockBit, Qilin, and DragonForce could lead to improved tactics and an increased volume of attacks through shared resources.
Devastating attack on a South Korean telecom giant
Qilin has carved its name into this year’s hall of fame for devastating cyberattacks by claiming the South Korean telecommunications giant SK Telecom. The attackers claimed to have stolen 1TB of data.
After a public apology from SK Telecom CEO Yoo Young-sang, the company was forced to offer free SIM card replacements to all its customers in the aftermath, and said it would “continue to implement ‘double and triple’ safety measures until the concerns and worries of customers were resolved.”
To accommodate the swap, the company had to halt new sign-ups until it had changed SIM cards for those affected by the cyberattack.
Unlock more exclusive Cybernews content on YouTube.
