Ransomware Attack on Tri-Star Display by Cicada3301

Overview of Tri-Star Display

Tri-Star Display, established in 2009 as a subsidiary of the James King Group, specializes in the design and manufacturing of temporary fixtures and signage, primarily for luxury cosmetics brands. Over the years, the company has expanded its offerings to include event design, gaining recognition for its innovative approaches to commercial events and retail displays. The company operates in the Manufacturing sector and emphasizes strong communication, creative design, and high-quality workmanship.

Company Profile and Vulnerabilities

Tri-Star Display operates with a small team of 1 to 4 employees and generates annual revenue between $1M to $5M. The company’s core competencies lie in creating visually appealing and functional display solutions that enhance brand visibility and customer engagement. Despite its small size, Tri-Star Display has built a reputation for its commitment to quality and innovation. However, the limited size and resources of the company may contribute to vulnerabilities in its cybersecurity infrastructure, making it an attractive target for threat actors like Cicada3301.

Details of the Ransomware Attack

The ransomware group Cicada3301 has claimed responsibility for a recent attack on Tri-Star Display. The attackers have compromised 95GB of the company's data and have threatened to publish it if they are not contacted. The data is scheduled for publication on July 25, 2024, unless Tri-Star Display takes action. This attack highlights the growing trend of data exfiltration and sale, rather than traditional ransomware tactics.

About Cicada3301

Cicada3301 is a new threat actor group that emerged in June 2024. Unlike traditional ransomware groups, Cicada3301 operates as a data broker, focusing on stealing sensitive data from targeted organizations and selling it on dark web marketplaces. This approach signifies a shift from conventional ransomware tactics to more sustained and long-term damage strategies. Cicada3301 pressures organizations by threatening to release stolen data, although their main intent is to profit from selling the data.

Cicada 3301

To clarify, the name “Cicada 3301” was originally associated with an online puzzle that gained notoriety between 2012-2014. However, the name has since been appropriated by a separate and unrelated ransomware group, which has been the focus of recent reports, including ours.

Halcyon fully respects the legacy of the original “Cicada 3301” organization and recognizes their distinction from the activities of the ransomware group using the same name. Our reporting on the ransomware group is consistent with fair use, aiming to inform the public about cybersecurity threats.  For those interested in the original “Cicada 3301” and their official stance on this matter, we encourage you to visit their statement here.

We appreciate your understanding as we strive to maintain clarity and accuracy in our reporting.

Penetration and Impact

Cicada3301's operations reflect several key characteristics common among modern data broker groups, including data theft and exfiltration, use of leak sites to pressure victims, and long-term damage through data exposure. The group likely penetrated Tri-Star Display's systems through vulnerabilities in their cybersecurity infrastructure, which may include outdated software, lack of multi-factor authentication, or insufficient employee training on phishing attacks. The exposure of sensitive data can lead to identity theft, corporate espionage, regulatory penalties, and loss of customer trust, making their attacks particularly harmful and enduring.

Sources

 
• Tri-Star Display
 
• BreachSense: Tri-Star Display Data Breach
 
• Glassdoor: Tri-Star Display
 
• SGPGrid: Tri-Star Display Pte. Ltd.