Cyber Incident Victim: SONDA

On March 29, 2023, the Chilean multinational IT company SONDA detected malware within its systems. The company, which maintains a presence in eleven countries, subsequently identified the threat actor Medusa as the perpetrator of the intrusion. Medusa claimed responsibility for the attack and placed SONDA on its data leak site. As proof of their access, the threat actor displayed a collection of files exfiltrated from the company's various international operations. The evidence included an affidavit from SONDA's operations in Peru, invoices from the parent company, documents originating from SONDA Argentina, and identity cards. Following their established pattern with other victims, Medusa also produced a video demonstration showcasing the data they had successfully accessed and acquired.

A countdown timer was featured on the Medusa leak site listing for SONDA, indicating the company had until April 15 to respond to the attackers' demands. The threat actor presented three distinct monetary options: a payment of $10,000.00 would add an additional 24 hours to the countdown clock, while a payment of $2,000,000.00 would result in either the complete deletion of all the stolen data or provide SONDA the ability to download the entire dataset themselves. This ultimatum created a time-sensitive situation for the company as it worked to assess the full scope of the incident.

In an official press statement issued on March 31, 2023, SONDA publicly confirmed it had detected the malware two days prior. The company's statement sought to reassure its clients by explaining that client services were architecturally segmented from its internal corporate networks, implying that customer operational systems may not have been directly impacted by the breach. As part of its incident response, SONDA engaged the cybersecurity firm Mandiant to assist with the investigation and remediation efforts. This press release was subsequently shared publicly on Twitter by a user with the handle @1ZRR4H, amplifying its reach.

Following the initial disclosure, external attempts were made to gather more specific details about the nature of the attack. On April 4 and April 5, inquiries were sent to SONDA via email. These questions sought to determine if the Medusa group had encrypted the company's files in addition to stealing them, if a formal ransom note had been received, whether the attack had any disruptive effect on the company's business operations, and if any form of negotiation with the threat actors was underway. SONDA did not provide a response to these direct questions.

Parallel inquiries were also directed to the Medusa threat actors themselves in an effort to obtain their perspective on the incident. Medusa declined to answer specific questions, replying only that they would provide a URL for the company in question and stating they had too many open cases at the time. Although Medusa indicated that a sample of the stolen data was available on their leak site as proof, attempts to download either the sample or a full list of the files were unsuccessful, as the links did not function at the time of testing. The exact volume and complete nature of the data exfiltrated from SONDA's systems therefore remained publicly unverified beyond the samples presented by the threat actor. The countdown timer on the leak site established a hard deadline of April 15 for any potential resolution or further action from the company.