Deloitte responded to claims about a ransomware attack on Deloitte UK, saying its systems were not impacted and only one client’s system was involved.
In response to a post by the ransomware group Brain Cipher, which stated that more than one terabyte of compressed data was stolen from the professional services company, a Deloitte spokesperson told SC Media UK that “the allegations relate to a single client’s system which sits outside of the Deloitte network.”
Brain Cipher first posted its claims on its dark web leak site around Dec. 4, threatening to leak the alleged Deloitte data by Dec. 15, according to a screenshot posted by FalconFeeds.io.
The ransomware group’s post also claims it will expose “how the ‘elementary points’ of information security are not observed” by the company and criticizes the company’s “monitoring work,” while also making mention of a contract between Deloitte and a customer in relation to the attack.
Who is Brain Cipher?
Brain Cipher first appeared in early June 2024 and uses ransomware code based on LockBit 3.0, a version of LockBit that was leaked in September 2022, according to SentinelOne. The group tends to target critical infrastructure sectors, including healthcare, education, manufacturing, government and law enforcement.
The Brain Cipher gang is best known for a June 2024 attack on Indonesia’s National Data Center, which caused major disruptions to more than 200 Indonesian government agencies and public services as the national and regional levels, NBC News reported. The group reportedly demanded an $8 million ransom, which government officials refused to pay.
Attacks on dozens of French museums, including some used as venues for the Summer Olympics, in August 2024 were also claimed by Brain Cipher, which threatened to leak 300 GB of data from the attacks, The Register reported.
Ransomware attack downplayed or exaggerated?
Despite Brain Cipher listing Deloitte as its victim in the attack, Deloitte’s statement suggests a smaller impact than the leak site post would imply. When it comes to ransomware attacks, past examples have shown that while companies may downplay the impact of an incident, ransomware groups also have a tendency to make exaggerated and misleading claims.
Following a major disruption by law enforcement in February 2024, LockBit has been noted by researchers to have published outdated and exaggerated attack claims on its leak site, in an apparent attempt to feign resilience. In one case, LockBit attempted to extort federal authorities, claiming to have breached the Federal Reserve Board; however, it was later determined that the group had hacked the third-party banking-as-a-service provider Evolve Bank & Trust to obtain the claimed 33 TB of Federal Reserve data.
On the other side of the coin, there have been incidents where leaders at organizations affected by ransomware have downplayed attacks that turned out to have a great impact that originally stated.
In August, City of Columbus officials originally stated that data stolen in a Rhysida ransomware attack was encrypted and unusable, a claim refuted by a local security researcher who was later sued by the city (the lawsuit has since been dropped). City officials later backtracked, confirming that personal identifiable information of 500,000 people was stolen, saying its previous statements were “conveyed in good faith based on what our team knew to be accurate at the time.”
The Brain Cipher incident is the second time this year that Deloitte has refuted claims related to a data breach; in September, the threat actor IntelBroker claimed to have stolen internal communications from the company, but Deloitte stated the incident posed no threat to any sensitive data, according to SecurityWeek.
Previous hacking claims made by IntelBroker this year have also been disputed by T-Mobile and Cisco. After IntelBroker claimed to have stolen T-Mobile source codes and other data in a breach, T-Mobile called the claims “false” and said no systems or source codes were compromised. Cisco also disputed claims about certain data IntelBroker alleges it exfiltrated after discovering a misconfigured public-facing DevHub portal last month.
