Hive ransomware gang starts leaking data allegedly stolen from Tata Power

The Hive ransomware gang, which claimed the responsibility for the Tata Power data breach, started leaking data.

On October 14, Tata Power, India’s largest power generation company, announced that was hit by a cyber attack. Threat actors hit the Information Technology (IT) infrastructure of the company.

The company confirmed that the security breach impacted “some of its IT systems.”

“The Tata Power Company Limited had a cyber attack on its IT infrastructure impacting some of its IT
systems. The Company has taken steps to retrieve and restore the systems.” the company wrote in a filing with the National Stock Exchange (NSE) of India.

“All critical operational systems are functioning; however, as a measure of abundant precaution, restricted access and preventive checks have been put in place for employee and customer facing portals and touch points.”

The electricity giant immediately started operations to respond to the incident and restore the impacted systems.

Now the ransomware gang Hive started leaking the alleged stolen files on its Tor leak site. The gang claims to have breached the corporate network on October 3rd, 2022.

Stolen data include contracts, financial and business documents, engineering projects, and employees’ personally identifiable information (PII), including Aadhar card numbers.

The Hive ransomware operation has been active since June 2021, it provides Ransomware-as-a-Service Hive and adopts a double-extortion model threatening to publish data stolen from the victims on their leak site (HiveLeaks). In April 2021, the Federal Bureau of Investigation (FBI) has released a flash alert on the Hive ransomware attacks that includes technical details and indicators of compromise associated with the operations of the gang. According to a report published by blockchain analytics company Chainalysis, the Hive ransomware is one of the top 10 ransomware strains by revenue in 2021. The group used a variety of attack methods, including malspam campaigns, vulnerable RDP servers, and compromised VPN credentials.

In June, The Microsoft Threat Intelligence Center (MSTIC) researchers discovered the new variant, while analyzing a new technique used by the ransomware for dropping .key files.

The main difference between the new variant of the Hive ransomware and old ones is the programming language used by the operators. The old variants were written in Go language, while the new Hive variant is written in Rust.

Other ransomware families have migrated their code to Rust such as the BlackCat one which was the first. The porting to Rust language provides the following advantages:

• It offers memory, data type, and thread safety
• It has deep control over low-level resources
• It has a user-friendly syntax
• It has several mechanisms for concurrency and parallelism, thus enabling fast and safe file encryption
• It has a good variety of cryptographic libraries
• It’s relatively more difficult to reverse-engineer

The most important change in the latest Hive variant is the encryption mechanism it adopts. The new variant was first uploaded to VirusTotal on February 21, 2022, just a few days after a group of researchers from Kookmin University in South Korea shared details about research on how to decrypt data from systems infected with the Hive ransomware.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Tata Power)

[adrotate banner=”5″]

[adrotate banner=”13″]