Western Digital hackers spied on incident response, taunt firm

Extortion efforts continue...

Western Digital hackers spied on incident response, taunt firm

Western Digital’s hackers eavesdropped on incident responders discussing the attack according to new leaks, suggesting that they had sustained access to the $18 billion storage company’s systems even after the initial breach was discovered – and that the team in question may not have used out-of-band communications.

On April 3, Western Digital first disclosed a “network security incident”, pulling its consumer storage services offline in the wake of the incident. The ALPHV group, which has claimed responsibility for the attack, later claimed to reporters that they had stolen some 10 terabytes of data and source code among other assets.

The California-based company is one of the world's largest makers of computer storage drives.

The Western Digital hackers also claimed that they could legitimately sign files with the company's code-signing certificates; suggesting that the attack could potentially have escalated into a supply chain attack.

Security researcher Dominic Alvieri has been tracking the drip of leaks onto the cybercriminals’ Dark Web page as they continue to try and extort the company which appears to have been unwilling to pay a ransom.

https://twitter.com/AlvieriD/status/1652173436888784896

The apparent eavesdropping on post-incident communications, including video calls, by the Western Digital hackers, is a sharp reminder of the need to set up completely segmented “out-of-band” communications lines.

An alternate communication infrastructure that is absolutely separate from regular business communication infrastructure can potentially secure post-breach correspondence, especially by cyber incident teams and even function as an alternative channel for staff communications in the wake of an incident that shuts down email capabilities.

Alexandros Papadopoulos, Director, Incident Response at Secureworks emphasised the importance of incident response drills for companies, telling The Stack:  “You need to practise and operationalise your incident response plan. Otherwise, when something happens, the plan goes out the window, the team goes on gut feel and mistakes are made…you really don’t want to be testing your plan for the first time in a real-life emergency.”

For Western Digital this has been extremely disruptive to business as cloud operations did not return to normal nearly a fortnight post the breach. It has also impacted customer ability to access data on local drives that rely on the company’s MyCloud services.

This is the second damaging incident for Western Digital, after a June 2021 attack led to WD My Book Live and WD My Book Live DUO owners across the globe finding that all of their files on the e-reader had been deleted, and they could no longer log into the device via a browser or an app.

An unpatched remote code vulnerability was blamed for the attack.

Western Digital has not published any public updates since an initial April 3 statement on the attack.