Nokia Subsidiary Hit by Conti Ransomware Attack
Table of Contents
- By Dawna M. Roberts
- Published: Oct 27, 2021
- Last Updated: Mar 18, 2022
SAC Wireless is the latest victim of Conti ransomware and subsequent data breach. SAC Wireless is a U.S.-based Nokia subsidiary. In June, the company experienced a data breach following a ransomware attack which included encrypting all their data and exfiltrating information.
What Happened?
SAC Wireless is a Nokia-owned company in Chicago, Illinois who according to Bleeping Computer:
“works with telecom carriers, major tower owners, and original equipment manufacturers (OEMs) across the U.S. SAC Wireless helps customers design, build, and upgrade cellular networks, including 5G, 4G LTE, small cell and FirstNet.”
Upon realizing the attack, SAC Wireless enlisted the help of forensic experts to mitigate the damage and perform a thorough investigation.
The company discovered the attack only after their entire network was encrypted by Conti ransomware on June 16. During the attack, SAC Wireless’ investigation uncovered that the current and former employees’ personal information, along with their health plan dependents and beneficiaries, was taken. According to threat researchers, the specific information stolen includes “name, date of birth, contact information (such as a home address, email, and phone), government ID numbers (such as driver’s license, passport, or military ID), social security number, citizenship status, work information (such as title, salary, and evaluations), medical history, health insurance policy information, license plate numbers, digital signatures, certificates of marriage or birth, tax return information, and dependent/beneficiary names.” This type of information leaves the victims wide open for identity theft and other types of fraud.
In a data breach letter sent to the victims, SAC Wireless said,
“The threat actor, Conti, gained access to the SAC systems, uploaded files to its cloud storage, and then, on June 16, deployed ransomware to encrypt the files on SAC systems.”
What Did SAC Wireless Do?
According to Bleeping Computer, “In response to the ransomware attack, SAC has taken multiple measures to prevent future breaches, including:
- changed firewall rules,
- disconnected VPN connections,
- activated conditional access geo-location policies to limit non-U.S. access,
- provided additional employee training,
- deployed additional network and endpoint monitoring tools,
- expanded multi-factor authentication,
- and deployed additional threat-hunting and endpoint detection and response tools.”
Bleeping Computer contacted the company on August 12 for comment, but they never heard back from SAC Wireless about the incident. Nokia also declined to comment further about the attack.
However, the company did say publicly,
“SAC is aware of an incident, and we are currently investigating the matter,” the spokesperson said. “As we continue to assess the incident, we are in contact with relevant parties to recommend that appropriate safeguards and precautions may be taken.”
The Conti Side of Things
According to the Conti ransomware leak site, the hackers gained access to 250GB of data from the attack. They also mention that all of the data will be leaked shortly online if the company does not pay the ransom.
Threat experts theorize that the Conti gang is a Ransomware-as-a-Service (RaaS) group of Russian hackers, also known as Wizard Spider.
Bleeping Computer mentioned that,
“The gang has recently breached Ireland’s Health Service Executive (HSE) and Department of Health (DoH), asking the former to pay a $20 million ransom after encrypting its systems.”
The FBI has also warned companies that Conti ransomware is responsible for dozens of attacks on healthcare organizations and agencies that employ first responders.
However, on a positive note,
“Earlier this month, a disgruntled affiliate leaked the gang’s training materials, including information about one of its operators, a manual on deploying Cobalt Strike and mimikatz, as well as numerous help documents allegedly provided to affiliates when performing Conti attacks.”