Doosan Group Suffers Ransomware Attack

Company Profile

The Doosan Group, a South Korean multinational conglomerate, has been targeted by the REvil ransomware group. The company operates in the manufacturing sector, specializing in air compressor manufacturing, with a focus on efficiency and customer specifications. Doosan is a Fortune 500 company with a significant presence in South Korea, supporting critical infrastructure, including the nuclear energy sector. The company is also the corporate parent to Bobcat and Škoda Power.

Vulnerabilities and Impact

The attack on Doosan Group was part of a broader trend of ransomware attacks targeting the energy sector, including nuclear facilities and related organizations. The REvil group, active since 2019, is known for its ransomware-as-a-service (RaaS) operations. The attack resulted in the theft of over 1.6 TB of sensitive data from the company and its business partners, with the REvil group publishing multiple samples of the ransomed files to substantiate their claims.

Response and Mitigation

The Korean National Computer Emergency Response Team (KN-CERT) was notified of the attack on Doosan Group by Resecurity, which also gained exclusive access to the company's Active Directory listing. The initial intrusion is believed to have occurred around December 3, 2020. The REvil group's tactics include intermittent encryption, the use of modern specialized programming languages, and dual ransomware attacks involving more than one variant, designed to enhance their adaptability and evasion.

The REvil ransomware group's attack on Doosan Group underscores the increasing prevalence of ransomware attacks targeting the energy sector. Companies in the manufacturing sector, such as Doosan, must remain vigilant and implement robust cybersecurity measures to protect their sensitive data and critical infrastructure.

Sources

• FS-Elliott Compressor Manufacturer
• Resecurity: Ransomware Attacks against the Energy Sector on the Rise
• REvil - Wikipedia