Cyber Incident Victim: POSCO Engineering & Construction

On March 14, 2023, a threat actor known as Kernelware published a data leak on BreachForums involving three Vietnamese firms: PetroVietnam, Long Son Petrochemicals, and POSCO Engineering & Construction. The leak included schematics for infrastructure and piping, business registration documents, employee information, and contract agreements. Files from the dump bore stamps indicating collaboration between the three entities on a shared project, though it remained unclear whether the data originated from one compromised server or multiple systems. Kernelware did not attempt to contact the affected companies or demand payment, stating the data was released freely with the intent to "humiliate" the organizations out of boredom. The actor declined to disclose the intrusion method when questioned but emphasized no extortion or sale of the data was involved. DataBreaches.net contacted PetroVietnam for comment but received no immediate response.

Kernelware had been active on BreachForums since August 2022, frequently leaking datasets without charge and occasionally offering databases for sale. In the weeks preceding the incident, the actor leaked data purportedly linked to Acer Taiwan, HDB Financial Services (initially misidentified as HDFC Bank), and Acronis. The Acronis leak triggered a public response from the company, which asserted the breach stemmed from compromised credentials of a single customer account used for diagnostic uploads, downplaying its significance. Kernelware acknowledged the Acronis data as "minor and not really interesting," framing the leak as an act of humiliation rather than strategic theft. The actor announced a temporary halt to leaks due to upcoming exams following the disclosure involving POSCO E&C and the other Vietnamese firms. No public statements or containment measures from POSCO E&C or PetroVietnam were documented at the time of reporting.