Customers Lose All Data After Breach of Danish Cloud Service #ITCouldBeWorse

PK Tech Blog Image

It’s easy to miss the cybersecurity threats and attacks happening almost everywhere. At PK Tech, our goal is to educate and offer proactive steps for cybersecurity safety. It’s important to be aware – without being afraid – of the cybersecurity threats that are real threats for your business. PK Tech aims to be a leading educator and support tool in the world of cybersecurity. 

This month, we’re highlighting the Danish cloud host, CloudNordic, following a ransomware attack on its data center systems, including its backups.

What happened, what was the fallout, and why should you care? 

We’re covering it all here. Let’s dive in.

What the “Hack” Happened?

At the start of the attack, cybercriminals shut down all systems for the Denmark-based cloud company, CloudNordic (reference). This included website, email, and encrypted customer systems and websites. 

As a result, the hackers succeeded in encrypting all servers’ disks in addition to primary and secondary backup systems. This caused all machines to crash and CloudNordic customers to lose all stored data.

The Fallout

While it’s common for data to be exfiltrated or copied out during ransomware attacks, CloudNordic data surprisingly escaped this common fate. CloudNordic did report that customer data was scrambled during the attack, but there was no evidence of completely compromised data. 

CloudNordic could not identify precisely how the attack began, but it was exacerbated by moving infected systems from one data center to another. The second data center was wired to CloudNordic’s internal network, giving hackers access to manage all of their servers.

CloudNordic also reported having no funds to pay the hackers their unspecified ransom demand. They said they would not pay on principle even if they could.

Lessons Learned #ITCouldHaveBeenWorse

With the ransomware attack on CloudNordic, we learn the danger of putting all of your eggs in one basket. Not referring to the customers – but CloudNordic itself. 

While the exact genesis of the attack remains unknown, a definite accelerant was that CloudNordic’s data centers are all linked. Why does this matter?

When a ransomware gang gets access to one, they can then access everything. Yes, it’s as bad as it sounds. Each data center was wired to CloudNordic’s internal network, which they use to manage all of their servers – and store all of their customer data. Ouch. 

Even worse, CloudNordic was entirely unaware the infection had happened at any of their data centers, which raises questions about their proactive monitoring systems, to say the least. 

That said, it’s pretty amazing that attacks gained access to CloudNordic’s central administration systems AND their backup systems, yet no customer data was exfiltrated. At worst, it was just scrambled. We don’t see that often. Usually, ransomware and extortion groups make their primary goal to exfiltrate data to gain maximal leverage for a ransom payout.

In light of an unexpectedly positive outcome for CloudNordic customers, CloudNordic is working to rebuild customers’ web and email systems from scratch. While data is scrambled and missing, customers can rest a little easier knowing the ransomware gang didn’t exfiltrate it. 

As we always like to say, and in this case to CloudNordic customers – #ITCouldBeWorse.