Cyber Incident Victim: SiComputer

On or around May 23, 2023, the cybercriminal group known as 8Base publicly claimed responsibility for a cyberattack against the Italian company SiComputer. The group announced this attack by posting about it on their Data Leak Site (DLS), a platform commonly used by threat actors to publicize their victims and, often, to threaten or facilitate the release of stolen data. The group's post on the DLS included the tag "EXPIRED," a status indicator used by 8Base to signify that the data exfiltrated from the victim was already publicly available. Accompanying this status was a link to the file-sharing service Mega, through which the group had published the data taken from SiComputer.

The 8Base group presents itself with a distinct operational philosophy compared to other ransomware collectives. They publicly define themselves as "honest and simple pentesters," a claim that attempts to position their actions as a form of forced security testing rather than purely criminal extortion. Their stated rationale for attacks is to offer companies what they call "the fairest conditions for the return of their data." They justify targeting specific organizations by asserting that the victim companies had "neglected the privacy and importance of the data of their employees and clients." In their public communications, such as FAQs on their site, 8Base further distanced themselves from certain motivations, stating they are "not ultra radical and appreciate life, freedom, equal access to information, democracy and non-violent methods of communication." They also explicitly stated they are not involved in politics or religion.

The "EXPIRED" status applied to the SiComputer entry on the DLS carries a specific meaning within 8Base's operational framework. According to their published FAQ, this status indicates that all of the data stolen from the victim is already publicly available for download. This is in contrast to another status they use, "Evidence," which indicates the victim still has a final opportunity to avoid public data disclosure. For victims with the "Evidence" status, 8Base instructs them to contact their support team via a "Last chance Telegram Channel," undergo a Know Your Customer (KYC) process, and then receive further instructions. The group notes that this opportunity is time-sensitive and that the status can always change to "Divulged" or "EXPIRED" without further warning.

The public release of data on a platform like Mega signifies that the incident involved a double extortion tactic. Double extortion is a common technique in ransomware attacks where attackers first exfiltrate sensitive data from the victim's network before encrypting the files on the victim's systems. The attackers then have two points of leverage: they demand a ransom payment for the decryption key to restore access to the encrypted systems, and they simultaneously threaten to publish or sell the stolen confidential data unless a separate ransom is paid. The public release of SiComputer's data indicates that the extortion process reached its final stage, where the threat of disclosure was executed.

While the specific technical details of the initial breach into SiComputer's systems were not detailed in the public claim, the modus operandi of groups like 8Base typically involves gaining access through methods such as phishing emails, exploiting vulnerabilities in internet-facing applications, or compromising remote access services like Remote Desktop Protocol (RDP). The article notes general best practices that are recommended to prevent such incidents, which indirectly suggests the possible vectors 8Base may have exploited. These include ensuring operating systems and software are patched, avoiding enabling macros from email attachments, not following unsolicited web links in emails, and never exposing RDP directly to the internet without the mediation of a VPN.

The immediate impact on SiComputer involved a significant compromise of its data integrity and confidentiality. The publication of company data on the internet represents a severe breach that can have lasting consequences. Exfiltrated and published data can include internal business documents, financial records, intellectual property, and, most critically, personal information belonging to both employees and clients. The exposure of such information can lead to secondary threats like targeted phishing campaigns against affected individuals, identity theft, financial fraud, and reputational damage that erodes customer and partner trust. The operational impact of any concurrent system encryption would have caused significant disruption to business activities, potentially halting operations and leading to financial losses.

The public nature of the claim and the subsequent media reporting placed the incident firmly in the public domain, attracting attention from cybersecurity analysts and the wider industry. The news blog RedHotCyber reported on the incident, noting the claim made by 8Base and the status of the data release. As part of its reporting protocol, the publication extended an offer to SiComputer to provide a statement or updates on the situation, indicating a desire to include the victim's perspective in any subsequent coverage. This public scrutiny adds a layer of reputational pressure on the affected organization.

The response actions taken by SiComputer were not detailed in the available source material. Standard incident response procedures following a ransomware attack with confirmed data exfiltration typically involve engaging a professional incident response firm, conducting a forensic investigation to determine the scope of the breach, notifying relevant legal authorities and data protection regulators as required by law, and beginning the process of assessing the damage and restoring systems from backups if they are available and were isolated from the attack. The publication of the data likely negated any possibility of containing the data breach, shifting the response focus toward damage mitigation, legal compliance regarding data disclosure, and communication with affected parties. The article did not mention any negotiation or payment of a ransom, and the "EXPIRED" status suggests that if any communication occurred, it did not result in 8Base withholding the data from public release. The full technical scope of the attack, including the specific systems compromised and the total volume of data exfiltrated, was not publicly disclosed in the initial claim or the subsequent reporting.