View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
July 25, 2022updated 16 Aug 2022 1:39pm

A ‘top tier’ hacking gang is likely to be behind Entrust ransomware attack

The digital ID provider says customer data is safe, but investigations are ongoing to find out more.

By Claudia Glover

A “top tier” ransomware gang is likely to be behind an attack on digital identity provider Entrust, which provides services to tens of thousands of customers, an expert has told Tech Monitor. The company has confirmed an ongoing ransomware attack which has seen data from its internal systems stolen. The breach bears similarities to an attack earlier this year on another digital ID provider, Okta, and could have serious consequences.

Entrust technology is used by customers such as banks to establish identity of people making online payments. (Photo by filadendron/iStock)

It was confirmed this weekend that Entrust suffered a ransomware attack, starting with unknown perpetrators stealing a cache of internal data. A screenshot of a security notice sent to customers posted online explained details of the breach, which began on June 18.

In a statement confirming the incident yesterday, Entrust added that it has “found no indication to date that the issue has affected the operation or security of our products and services, which are run in separate, air-gapped environments from our internal systems,” but said it was working with a cybersecurity vendor and law enforcement agencies to investigate further. It is not clear if a ransom has been paid.

Entrust says it has more than 10,000 customers, mainly in banking and insurance, that use the company’s technology for “trusted identities, payments, and data protection”.

Tech Monitor has contacted Entrust for further information.

What are the implications of the Entrust ransomware attack?

Security analyst Sourfiane Tahiri told Tech Monitor that the only thing known so far about the attack is that someone with access to an Entrust back-end has had their credentials stolen.

Though no group has taken responsibility for the attack, Yelisey Boguslavskiy, head of threat research at security company AdvIntel, says it is likely to be the work of highly skilled attackers. “From the initial evidence that AdvIntel has regarding the Entrust breach, the group behind it is a top-tier actor, most likely close and operationally identical to teams like Cl0p, BlackCat, and, most importantly, Evil Corp infiltration teams,” he says.

The consequences of the attack will depend on the type of data stolen. If the criminals have managed to access customer information, the attack could be as dangerous as the Okta breach, where access was leaked to the company’s authentication platform via a third-party customer support engineer and more than 300 customers were impacted in a supply chain attack. This attack was the work of the prolific Lapsus$ hacking group.

Content from our partners
How to turn the evidence hackers leave behind against them
Why food manufacturers must pursue greater visibility and agility
How to define an empowered chief data officer

In the case of Entrust, Boguslavskiy says the attacker is likely to have relied on a network of underground resellers to gain the stolen credentials, before working on ways to use the credentials to access Entrust’s systems. “They will use the same external and internal networks to make the maximum profit with maximum efficiency using the data they stole,” he says.

While customer data may be safe behind an air gap, some air gaps are safer than others, Boguslavskiy adds. “If the entirety of clients’ information was air-gapped, naturally, the actors could not access it,” he explains. “However, client information is often present beyond the air-gapped storages: via cloud services, local shares, and other operational resources that can be easily accessed during the network infiltration.”

The only thing that customers can currently do is draft up their responses in preparation for any further developments, states Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows.

“Organisations should prioritise establishing from Entrust their level of involvement in the incident, but also kick start their incident response procedures if the scale of the breach increases,” he says.

Tech Monitor is hosting a roundtable in association with Intel vPro on how to integrate security into operations. For more information, visit NSMG.live.

Read more: UK lawyers warned to stop helping clients make ransomware payments

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU