Coca-Cola is investigating claims of a breach into its systems by hacking gang Stormous, which has published a statement online declaring it has infiltrated the soft drinks giant’s online infrastructure, lifting 161GB of data. Analysts have urged caution, saying the group has a reputation for making bogus statements.
Coca-Cola disclosed this week that it is investigating a possible breach by Stormous after the gang posted to its Telegram channel that it had broken into one of the organisation’s servers and managed to lift 161GB of data. Stormous is demanding 16 million bitcoin from Coca Cola for the data, while also apparently offering the data for sale on the dark web for $64,000.
“We are aware of this matter and are investigating to determine the validity of the claim,” said Coca-Cola communications vice president Scott Leith in response to the claims.
Coca-Cola data breach: what happened?
In its blog post, Stormous wrote that it had hacked Coca-Cola’s servers and acquired a large amount of data. It has not provided any details on the type of data, but has demanded that the company contact it to discuss returning the information in exchange for a fee.
The claim followed a poll that the gang had posted the week before, tantalising its followers with a choice of who it could breach. Coca-Cola won with 72% of the votes. “Since it was a vote on giant beverage company Coca-Cola we hacked some of their servers and went [sic] over 161GB,” Stormous wrote, adding that the group was opening a store on the dark web where it would be selling information from the Coca-Cola hack, as well as data stolen from other targets.
Last month, Stormous released a statement claiming to have lifted data from the network of the Ministry of Foreign Affairs of Ukraine, including phone numbers, emails, passwords, and card numbers from the ministry’s database. However this data was already widely available on the dark web, according to a report by security company SOCRadar.
What is Stormous?
Stormous first came to prominence in March with its alleged hack on Epic Games, the company behind Fortnite. It claimed it had discovered a vulnerability in the company’s internal network, where it stole nearly 200Gb of data, including the information of nearly 33 million users. But though it said it would leak the data onto the dark web, no information was forthcoming after the initial threats.
This behaviour makes security researchers sceptical about the Coca-Cola hack. “The history of this group is questionable at best,” says Etay Maor, senior director of security strategy at security company Cato Networks. “With the Ukrainian Ministry, the data was already out there and the one with Epic Games was never proved.”
This sort of hack is known as ‘scavenging’, continues Maor. “They wouldn’t be the first ones to do these kind of scavenger hunts where they take stuff that’s already out there,” he says.
This technique is not uncommon, adds Chris Morgan, senior cyber threat intelligence analysts at security company Digital Shadows. “Some researchers have suggested that many of their attacks are either a scam or the group is exaggerating their claims,” Morgan says. “This is not uncommon for cybercriminal groups, who often embellish the details of their activity in order to coerce victims into paying a ransom.”
Morgan adds that it’s possible Stormous has been engaging in scavenging, but that there is currently a lack of evidence to prove this.
Indeed, the gang’s reputation and the magnitude of their latest alleged victim means it is likely the Coca-Cola hack claims are false, argues Alan Liska, cybersecurity incident response team lead at Recorded Future: “There is a lot of scepticism around Stormous and this attack in particular,” he says. “In the grand scheme of things 161GB of data is not a lot for a group that supposedly had access to Coca Cola’s corporate network and was able to exfiltrate data unfettered.”
Liska says Stormous is known as “a bit of a clown show”, but warns: “That doesn’t mean they didn’t successfully pull off the attack, it is possible. But I think many researchers are going to need additional verification before taking this group at their word.”
Read more: Supply chain cyberattack on Ministry of Defence sees Army recruitment data stolen
