revil attacks Doosan Group
Incident Date:
August 2, 2022
Overview
Title
revil attacks Doosan Group
Victim
Doosan Group
Attacker
Revil
Location
First Reported
August 2, 2022
Doosan Group Suffers Ransomware Attack
Company Profile
The Doosan Group, a South Korean multinational conglomerate, has been targeted by the REvil ransomware group. The company operates in the manufacturing sector, specializing in air compressor manufacturing, with a focus on efficiency and customer specifications. Doosan is a Fortune 500 company with a significant presence in South Korea, supporting critical infrastructure, including the nuclear energy sector. The company is also the corporate parent to Bobcat and Škoda Power.
Vulnerabilities and Impact
The attack on Doosan Group was part of a broader trend of ransomware attacks targeting the energy sector, including nuclear facilities and related organizations. The REvil group, active since 2019, is known for its ransomware-as-a-service (RaaS) operations. The attack resulted in the theft of over 1.6 TB of sensitive data from the company and its business partners, with the REvil group publishing multiple samples of the ransomed files to substantiate their claims.
Response and Mitigation
The Korean National Computer Emergency Response Team (KN-CERT) was notified of the attack on Doosan Group by Resecurity, which also gained exclusive access to the company's Active Directory listing. The initial intrusion is believed to have occurred around December 3, 2020. The REvil group's tactics include intermittent encryption, the use of modern specialized programming languages, and dual ransomware attacks involving more than one variant, designed to enhance their adaptability and evasion.
The REvil ransomware group's attack on Doosan Group underscores the increasing prevalence of ransomware attacks targeting the energy sector. Companies in the manufacturing sector, such as Doosan, must remain vigilant and implement robust cybersecurity measures to protect their sensitive data and critical infrastructure.
Sources
- FS-Elliott Compressor Manufacturer
- Resecurity: Ransomware Attacks against the Energy Sector on the Rise
- REvil - Wikipedia
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.