Hive ransomware group has claimed responsibility for a cyber attack disclosed by Tata Power this month.
A subsidiary of the multinational conglomerate Tata Group, Tata Power is India’s largest integrated power company based in Mumbai.
In screenshots seen by BleepingComputer, Hive operators have posted data they claim to have stolen from Tata Power, indicating that the ransom negotiations failed.
Hive begins leaking data allegedly stolen from Tata Power
As of a few hours ago, operators behind the Hive ransomware group began leaking data allegedly stolen from Tata Power on their leak site.
Cybersecurity analyst and researcher Dominic Alvieri tweeted about the development and also tipped us off.
Another researcher Rakesh Krishnan shared screenshots of the stolen data—which appears to include Tata Power employees’ personally identifiable information (PII), National ID (Aadhar) card numbers, PAN (tax account) numbers, salary information, etc.
Additionally, the data dump contains engineering drawings, financial and banking records as well as client information, suggests Krishnan.
Hive operators claim that they encrypted Tata Power’s data on October 3rd.
On Friday, October 14th, Tata Power disclosed a cyber attack on its “IT infrastructure impacting some of its IT systems” in a stock filing without sharing additional information with regard to the whereabouts of the threat actor.
“The Company has taken steps to retrieve and restore the systems. All critical operational systems are functioning; however, as a measure of abundant precaution, restricted access and preventive checks have been put in place for employee and customer facing portals and touch points,” stated Tata Power’s filing, signed by company secretary H.M. Mistry at the time.
Threat actors like extortion and ransomware groups typically begin leaking or selling data stolen from breaching their targets should the target refuse to pay their ransom demand and subsequent negotiations fail.
Hive ransomware in review
The Hive ransomware gang is more active and aggressive than its leak site shows, with affiliates attacking an average of three companies every day since the operation became known in late June 2021.
The group is known to employ a diverse set of tactics, techniques, and procedures, which makes it difficult for organizations to defend against its attacks, as the FBI has earlier stated.