Cyber Incident Victim: Gujarat Mineral Development Corporation
Date:
Apr 2023
Location:
India
Summary
The Medusa ransomware group breached the Gujarat Mineral Development Corporation's network, compromising administrator rights and exfiltrating several gigabytes of sensitive data. The gang demanded a $500,000 ransom to decrypt files and threatened to sell the information online. The stolen data included corporate client lists, tender documents, employee details, and internal reports. The victim organization isolated its core IT assets to contain the incident, which caused a temporary disruption to its lignite dispatch operations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 3 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On April 1, 2023, the Gujarat Mineral Development Corporation (GMDC) experienced a significant cybersecurity incident involving a breach of its data network. The ransomware gang known as Medusa claimed responsibility for this attack. The group had first published details of their successful breach on their dedicated 'Medusa Blog' on March 23, a platform privy within hacker networks. In their announcement, Medusa stated they were in possession of several gigabytes of sensitive data belonging to GMDC’s office in Ahmedabad. A critical aspect of their intrusion was the compromise of the network's 'admin' account, granting them administrator rights and control over the system.
The attackers employed a double extortion model, a tactic noted by network security experts. Their primary threat was to publish the stolen data for sale on the dark web if their demands were not met. Medusa ransomware specifically demanded a payment of $500,000 from GMDC by the April 1 deadline in exchange for decrypting the organization's locked documents. To demonstrate the legitimacy of their claims and the severity of the breach, the group provided a sample 26-minute video. This video showcased the extensive categories of documents they had exfiltrated during the attack.
The scope of the compromised data was substantial and highly sensitive. The information accessed by the Medusa gang included lists of corporate business clients with whom GMDC conducts business, revealing its commercial partnerships. Maintenance contracts for a power plant were also among the stolen files. The breach impacted several tender documents that were in the process of being formulated, potentially affecting ongoing procurement and project initiatives. A critical infrastructure evaluation report conducted by Schneider Electric for GMDC was compromised. The attackers also obtained technical information such as the IP addresses of employees and their devices. Furthermore, a significant amount of personal employee information was stolen, including personal details and documents. The haul even contained pictures from an awareness drive and the personal documents of a network engineer. The gang allegedly gained access to Office365 users' emails and all attached documents, significantly widening the pool of potentially exposed information.
In response to the incident, GMDC managing director Roopwant Singh confirmed that an information security incident had occurred. The corporation immediately isolated its core IT assets as a primary containment measure. This action was taken to prevent the ransomware from spreading to other systems and to limit further unauthorized access or data exfiltration. GMDC initiated a detailed investigation into the matter and took appropriate remedial actions to address the breach and secure its network infrastructure. The immediate operational impact of the incident was confirmed to be a disruption in lignite dispatch, which was interrupted for a few days as a direct result of the cybersecurity event. To mitigate inconvenience to its registered clients, GMDC extended the allocation cycle to prevent the lapsing of payments during the system outage. The managing director stated that there was no loss of critical data, indicating that the company's response and recovery efforts were able to prevent permanent data destruction.
The Medusa ransomware group itself has been associated with malware families and botnets, with this particular iteration operating since at least 2021 according to security researchers. Experts commenting on the case highlighted the evolving nature of such threats, noting that ransomware attacks have moved into what is described as a triple extortion phase. In this more heinous phase, attackers not only encrypt data and threaten to publish it but also directly reach out to the clients or customers found within the stolen data lists. These third parties are then threatened with the public release of their information, thereby increasing pressure on the original victim organization to pay the ransom. The incident at GMDC served to underscore the vulnerability of state government data networks to sophisticated cyber criminal activities.