Cyber Incident Victim: Brookfield Residential
Date:
Aug 2020
Location:
United States of America
Summary
Brookfield Residential, a North American real estate developer, suffered a ransomware attack by the DarkSide group involving unauthorized network access, data theft, and encryption of systems. The attackers initially misidentified the victim as its parent company, Brookfield Asset Management, on their leak site due to naming similarities, though the parent entity remained unaffected. Stolen employee data was later published online, suggesting no ransom was paid. The company contained the incident by restoring systems, implementing enhanced security measures, and notifying affected individuals while cooperating with authorities. DarkSide's operational tactics included lateral movement within networks and double extortion via data leaks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around August 10, 2020, the DarkSide ransomware operation breached Brookfield Residential, a North American land developer and home builder with $5.7 billion in assets. DarkSide, a newly emerged enterprise-targeting ransomware group, infiltrated Brookfield Residential's network using human-operated techniques that involved lateral movement across devices and theft of unencrypted data. The attackers compromised a Windows domain controller, enabling them to deploy ransomware across the network. As part of their double-extortion strategy, DarkSide exfiltrated sensitive data before encrypting systems and subsequently listed Brookfield Residential on their dedicated data leak site. Due to naming similarities between Brookfield Residential and its parent company, Brookfield Asset Management (a Canadian firm managing over $500 billion in assets), DarkSide erroneously labeled the victim as Brookfield Asset Management (brookfield.com) on their leak site. Brookfield Residential clarified that its network was isolated from the parent company, which remained unaffected. The attackers published stolen employee data on their leak site after a negotiation period expired, indicating no ransom was likely paid. While the exact ransom demand for Brookfield wasn't disclosed, contemporaneous DarkSide victims faced demands averaging $2 million.
Brookfield Residential detected unauthorized access to a limited subset of files and immediately initiated incident response protocols. The company restored affected systems from backups and implemented additional security measures to contain the breach. Brookfield notified law enforcement and regulatory authorities while conducting internal forensic analysis to determine the scope of compromised data. The investigation confirmed the breach primarily impacted employee information, with no evidence of customer or parent company data exposure. Brookfield Residential began direct notifications to affected employees following data exposure on DarkSide's leak site. The public release of stolen data confirmed operational disruption and reputational damage, though Brookfield maintained business continuity through system restoration efforts. DarkSide's operational timeline shows the group began attacks coinciding with Brookfield's breach window, making this among the earliest confirmed DarkSide incidents. No further encryption or data leaks involving Brookfield entities were reported following the initial containment.