Cyber Incident Victim: Sando
Date:
Aug 2022
Location:
United Kingdom
Summary
A ransomware attack targeted Sando, with Hive initially claiming responsibility and leaking limited data. Subsequently, a new extortion group named Donut Leaks published significantly more extensive stolen data from the victim alongside other companies. The group operates Tor-based shaming blogs and data storage sites, utilizing File Browser to expose approximately 2.8 TB of information across multiple victims. Donut Leaks' involvement suggests potential affiliations with established ransomware operations like Hive and Ragnar Locker, highlighting collaborative data sharing among threat actors. The incident underscores that ransom payments may not prevent further leaks or extortion demands, as stolen information circulates between groups employing varied extortion tactics.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
In late July 2022, multinational construction company Sando experienced a cyberattack claimed by the Hive ransomware operation. Hive released a limited archive of stolen files as purported evidence of their breach but did not immediately leak the full dataset. Approximately one month later, on or around August 23, 2022, Sando’s stolen data resurfaced on the leak site of a newly identified extortion group called Donut Leaks. This group hosted significantly more extensive data from Sando than Hive had previously disclosed, indicating broader unauthorized access to Sando’s systems. Donut Leaks utilized a dual-platform extortion approach: a Tor-based shaming blog listing victim companies and a separate data storage server running File Browser software that allowed public browsing and downloading of stolen files. The group emailed direct links to these sites to Sando’s business partners and employees, amplifying reputational pressure.
The incident formed part of a broader pattern involving Donut Leaks, which simultaneously hosted data from at least nine other victims, totaling approximately 2.8 terabytes of leaked information. While only five victims—including Sando—were listed on the shaming blog, the storage server contained data from ten organizations. Donut Leaks’ tactics diverged from typical ransomware groups by focusing on data exfiltration and public shaming rather than deploying encryption-based ransomware, though their exact role remained unclear. Sheppard Robson, another victim, confirmed experiencing a ransomware attack, suggesting potential collaboration between Donut Leaks and established ransomware operations like Hive or Ragnar Locker. The reuse of Sando’s stolen data across multiple extortion platforms demonstrated the proliferation of secondary data leaks, where paying one group provided no guarantee against subsequent exposure by others. Sando did not publicly disclose whether they received or responded to ransom demands, nor did they detail containment measures taken following the breach.