Stolen data from UK police has been posted on – then removed from – the dark web. Russian hacking group Cl0p launched a supply chain attack against IT services provider Dacoll, a company that handles access to the Police National Computer (PNC), a database containing information about millions of people.
After a ransom demand was refused, Cl0p posted the information, reportedly including close-up images of drivers recorded by ANPR cameras, from the breach on a dark web site. But this has since been removed, leading experts to suspect swift action has been taken against the gang, or that it may have had second thoughts about selling such sensitive information.
Police data stolen in supply chain attack
The attack, first reported yesterday, saw Scottish ITSP Dacoll’s systems infiltrated via a phishing link. The attack appears to be a supply chain attack, similar to those of Kaseya MSP and Solar Winds. “The data was stolen from a company that was handling data on behalf of the police, who relied on that supplier to keep it safe and secure,” explains John Shier, senior security advisor at Sophos. “In our opinion, this fits the broader definition of a supply chain attack because it uses a third-party as a proxy to attack an organisation’s data or services.”
Supply chain attacks have spiked in popularity in the cybercrime world, alongside ransomware attacks, in the past year. According to a report released by software development platform Sonatype “cyberattacks against software supply chain targets exploiting weaknesses in open-source ecosystems have surged by 650% YOY in 2021.”
Cl0p posted a statement along with the data, indicating their annoyance at Dacoll for not cooperating with ransom negotiations: "There are certain times when even we get caught by surprise when a company is lack [sic] so much brain power to follow simple instruction," it said. "Instead of joining chat you email like sky is shaking then you decide to publish your secret chat on internet and make sure all media and their mommies join chat. Now the result of you incompetent IT and lack of brain cell result in you being famous."
Dacoll confirmed the attack in a statement to the Daily Mail, but declined to say how large the ransom demand was.
Where has the stolen police data gone?
The information stolen from Dacoll now appears to have completely vanished from the dark web. Recent searches conducted by cybersecurity company Digital Shadows indicate the data is not currently available for download, with the company's Photon Research Team noting: "At the time of writing, Dacoll's name no longer appears in the site header. Furthermore, a link to Dacoll's listing on Cl0p is currently offline. It is possible that Cl0p has observed the press coverage surrounding this and decided to revoke the possibility of viewing and downloading the files," the statement says. "The sensitive nature of the data involved means the police and other law-enforcement agencies may have acted swiftly to curtail Cl0p's activities. The surest way to attract law enforcement's attention is to steal and leak law enforcement data," it continues.
Alternatively, the cybercriminals may not have understood the significance of the data they had stolen, Shier says. The fact it has since been taken down "could be an indication that the criminals operating Cl0p ransomware may not have realised what they had stolen and are looking to turn down the heat," he says, adding that another theory is that the gang sold the information quickly due to its sensitive nature.