Ransomware Attack on Kleven Construction by Hunters International

Kleven Construction Inc., a multifaceted construction company specializing in underground infrastructure services, has fallen victim to a ransomware attack by the notorious group Hunters International. The attack has resulted in the exfiltration of 124.5 GB of sensitive data, affecting various departments within the company.

About Kleven Construction

Kleven Construction operates primarily in the Alexandria area, offering a range of construction services including new home construction, remodels, and light commercial projects. The company is particularly noted for its expertise in directional drilling, a technique essential for installing underground utilities without disturbing the surface. This capability is crucial for laying fiber optic cables, which are vital for modern telecommunications. Kleven Construction manages the entire process of directional drilling, from initial design to final installation, ensuring high-quality service with minimal need for subcontracting.

In addition to directional drilling, Kleven Construction provides extensive fiber optic cable placement services, including route planning, mapping, installation, and testing. Their in-house team handles all aspects of fiber installation, ensuring projects are completed efficiently and to the highest standards. The company employs between 51 to 200 individuals and has a reported revenue range of $10 million to $50 million.

Attack Overview

The ransomware group Hunters International claims to have exfiltrated 124.5 GB of data from Kleven Construction, encompassing 191,587 files. The compromised data includes sensitive information from various departments. The accounting department's data, totaling 8.5 GB and 2,506 files, contains vital accountancy and economic activity records. The IT department's data, amounting to 342 GB and 32,477 files, includes critical information related to computer systems, software, programming languages, and data processing and storage. Additionally, the medical, healthcare, and insurance department's data, comprising 11 GB and 1,264 files, involves drug testing records, health insurance details, insurance certificates, and information from insurance agencies.

About Hunters International

Hunters International is a Ransomware-as-a-Service (RaaS) group that emerged in Q3 of 2023, shortly after the disruption of the Hive ransomware group. The group's ransomware code contains approximately 60% overlap with Hive ransomware, indicating a shared technical lineage. Hunters International focuses on exfiltrating target data and extorting victims with ransom demands in exchange for the return of the stolen data. The group has been detected targeting victims across various regions, including the US, UK, Germany, and Namibia.

Investigations have revealed potential ties to Nigeria through domain registrations and email addresses associated with the group. However, the group uses fake identities and tricky methods to conceal their true origins. Hunters International's emergence shortly after the Hive ransomware disruption has led to speculation that it is a rebranded or offshoot version of Hive, although the group denies any affiliation.

Penetration and Impact

The exact method of penetration used by Hunters International to infiltrate Kleven Construction's systems remains unclear. However, the significant data breach poses substantial risks to the company's operations and the privacy of its stakeholders. The attack has resulted in financial losses and reputational damage, highlighting the persistent threat posed by ransomware groups.

• Kleven Construction
• SOCRadar
• Quorum Cyber
• Netenrich
• Global Security Mag