Cameroon's CNPS Hit by SpaceBears Ransomware Exposing Data
Incident Date:
September 12, 2024
Overview
Title
Cameroon's CNPS Hit by SpaceBears Ransomware Exposing Data
Victim
CNPS Cameroon
Attacker
SpaceBears
Location
First Reported
September 12, 2024
Ransomware Attack on CNPS Cameroon by SpaceBears
The National Social Insurance Fund of Cameroon (CNPS) has recently fallen victim to a significant ransomware attack orchestrated by the notorious hacking group SpaceBears. Despite CNPS's public denial of any breach, cybersecurity monitoring entities, including Ransomware.live, have confirmed the attack. The breach, which occurred on July 29, 2024, was discovered on September 12, 2024, putting millions of sensitive records at risk.
About CNPS Cameroon
Established in 1960, the Caisse Nationale de Prévoyance Sociale (CNPS) is a pivotal institution in Cameroon’s social security framework. It provides social security and welfare benefits to workers in the formal sector, ensuring protection against various social risks such as retirement, disability, illness, and death. CNPS is headquartered in Yaoundé and is recognized as the largest pension fund in the country, covering approximately 10% of the population. The organization has embraced digital transformation, launching online services to enhance client account management.
Attack Overview
SpaceBears compromised CNPS's data, including employee and employer contributions, social security beneficiary information, and insurance details. The exfiltrated data also reportedly includes financial documents, accounting reports, backups, customer databases, Huawei network structures, personal data of employees and citizens, insurance archived data, and future network modernization projects. SpaceBears has threatened to sell this data on the dark web if their ransom demands are not met.
About SpaceBears
SpaceBears is a ransomware group that emerged in early 2024, believed to be operating from Moscow, Russia. They are known for their unique approach to extortion, focusing on data brokering. SpaceBears primarily utilizes a Data Leak Site (DLS) to publish information about their victims, asserting that upon payment, they will remove the published data and provide decryption tools for any encrypted files. Their operations reflect the evolving landscape of cybercrime, where extortion tactics are becoming increasingly sophisticated.
Penetration and Vulnerabilities
While the exact method of penetration remains unclear, it is likely that SpaceBears exploited vulnerabilities in CNPS's digital infrastructure. The organization's recent digital transformation, while beneficial for client management, may have introduced security gaps that were exploited by the attackers. The use of external file-sharing services by SpaceBears indicates a strategic approach to data exfiltration, leveraging third-party platforms to avoid detection and complicate mitigation efforts.
Sources
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.