APT73 Strikes: Ransomware Attack on ServicePower

Incident Date:

May 2, 2024

World map

Overview

Title

APT73 Strikes: Ransomware Attack on ServicePower

Victim

Service Power

Attacker

APT73

Location

McLean, USA

Virginia, USA

First Reported

May 2, 2024

Ransomware Attack on ServicePower by APT73

Company Profile

ServicePower Technologies PLC, headquartered in McLean, Virginia, is a prominent player in the field service management software sector. As of 2024, the company employs 158 individuals and reported annual revenues of $18 million. ServicePower is distinguished by its innovative platform that adeptly manages both employed and contracted workforces, facilitating on-demand field service across diverse and challenging locations in North America and Europe.

The company's robust platform supports a wide array of industries including insurance, energy, retail, electronics, and building technology, making it a critical component in the operational efficiency of these sectors.

Details of the Attack

APT73, a nascent ransomware group, has claimed responsibility for the cyberattack on ServicePower. The attack involved the deployment of ransomware and led to the exfiltration of approximately 0.328 gigabytes of data. This data primarily consisted of user credentials and miscellaneous sensitive information. While the specifics of the ransom demand have not been disclosed, the breach has resulted in the leakage of some of this data on APT73's dark web leak site, ERALEIGNEWS.

APT73: An Emerging Cyber Threat

APT73 has shown a pattern of targeting organizations through sophisticated phishing schemes, aiming to compromise systems and deploy ransomware. The group operates a TOR-based data leak site and is known for its LockBit-styled operational tactics. Despite its recent emergence, APT73 has quickly demonstrated its capability to execute significant breaches, as evidenced by the attack on ServicePower.

The group's infrastructure is hosted by M247 Europe SRL in Prague, Czechia, and utilizes AS9009, which is associated with various malicious activities. This suggests a level of sophistication in their operational infrastructure, despite their relatively new presence in the cyber threat landscape.

Vulnerabilities and Targeting

ServicePower's significant reliance on digital platforms to manage vast amounts of sensitive data likely made it an attractive target for APT73. The nature of the stolen data suggests that the attackers could have exploited weaknesses in the company’s cybersecurity measures, possibly through phishing attacks or exploiting unpatched vulnerabilities.

Sources

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.