Ransomware Attack on Keystone Engineering by SpaceBears
Incident Date:
August 2, 2024
Overview
Title
Ransomware Attack on Keystone Engineering by SpaceBears
Victim
Keystone Engineering
Attacker
SpaceBears
Location
First Reported
August 2, 2024
Ransomware Attack on Keystone Engineering by SpaceBears
Keystone Engineering, a family-owned business with over 65 years of experience in manufacturing and composite material fabrication for the oilfield industry, has fallen victim to a ransomware attack orchestrated by the cybercriminal group known as SpaceBears. Keystone, renowned for its reliable products since 1950, specializes in the production of formation measurement instrument assemblies for wireline, Measurement While Drilling (MWD), and Logging While Drilling (LWD), as well as high-temperature composite bridge plugs.
Company Overview
Keystone Engineering operates in the Energy, Utilities & Waste sector, primarily serving the oilfield industry. The company has established a strong reputation for producing high-strength and high-temperature composites tailored to customer design requirements. With facilities covering over 83,000 square feet and housing more than 100 machines, Keystone Engineering is capable of managing the complete manufacturing process, ensuring on-time delivery. The company emphasizes confidentiality and proprietary handling of all client drawings and products, offering versatile contract manufacturing services, prototyping, and repair services.
Attack Overview
The ransomware attack on Keystone Engineering has compromised critical data, including engineering drawings, financial documents, personal information of employees, and QuickBooks backups. The attack was claimed by SpaceBears, a newly emerged ransomware group, on their dark web leak site. This breach poses significant risks to Keystone's business continuity, potentially leading to data loss, financial implications, and reputational damage.
About SpaceBears
SpaceBears, first noted in April 2024, has targeted several prominent organizations, including Thinkadam, Fliesenstudio am Rhein, and Surewerx USA. The group operates a leak site titled "Space Bears" on an Onion URL, employing double extortion tactics where data is stolen and used to extort victims in addition to encrypting files. SpaceBears is associated with the Faust operator, an affiliate of the Phobos ransomware-as-a-service group, highlighting its sophistication and ties to established ransomware networks.
Penetration and Vulnerabilities
While specific details on how SpaceBears penetrated Keystone Engineering's systems are not disclosed, common vulnerabilities exploited by ransomware groups include outdated software, weak passwords, and lack of multi-factor authentication. Given Keystone's emphasis on confidentiality and proprietary handling, the breach underscores the importance of cybersecurity measures to protect sensitive data and maintain business integrity.
Sources
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.