Cyber Incident Victim: Sangoma Technologies
Date:
Dec 2020
Location:
Canada
Summary
A developer of the FreePBX phone system experienced a Conti ransomware attack resulting in the theft and online publication of over 26GB of sensitive corporate data, including financial records, acquisition details, employee compensation information, and legal documents. The breach involved unauthorized access to internal servers but showed no evidence of compromise to customer accounts or product integrity. Conti, a ransomware group linked to Ryuk and distributed via TrickBot malware, exfiltrated and leaked the confidential materials after gaining administrative network access. The incident prompted the affected organization to advise password changes as a precaution despite confirming no direct customer system impacts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On December 24, 2020, Sangoma Technologies Corporation, a provider of VoIP hardware and software and developer of the FreePBX PBX phone system, disclosed a data breach following a Conti ransomware attack. The Conti ransomware gang published over 26 GB of stolen data on their leak site the previous day, comprising sensitive internal company files. The leaked data included accounting records, financial documents, acquisition details, employee benefits and salary information, and legal documents. Sangoma confirmed the breach resulted from a ransomware attack on one of its servers, leading to the unauthorized publication of private and confidential corporate data. The company issued a public advisory acknowledging the incident but stated no evidence indicated customer accounts or Sangoma software products were compromised during the attack. Despite concerns about potential supply chain compromises common in attacks against software developers, Sangoma’s disclosure emphasized no observed tampering with their products. The company advised customers to proactively change their Sangoma account passwords as a precautionary measure.
The Conti ransomware operation, first observed in late December 2019 with increased activity from June 2020, executed the attack using techniques associated with Ryuk ransomware and distribution via the TrickBot trojan. Conti actors typically breach corporate networks, perform lateral movement, and escalate privileges to domain admin level before deploying ransomware. Sangoma’s breach notification did not specify the exact date of initial network compromise, duration of attacker presence, or specific containment measures taken. The published data exposed internal corporate and employee information, but Sangoma did not quantify the number of affected individuals or provide details about operational disruptions. The company’s advisory focused on confirming the data exposure’s scope while reiterating the integrity of customer-facing systems and products remained intact. No further technical details about attack vectors, detection methods, or data recovery processes were disclosed in the available source material.