Cyber Incident Victim: CompuCom Systems, Inc.
Date:
Feb 2021
Location:
United States of America
Summary
CompuCom, a managed service provider and subsidiary of The ODP Corporation, experienced a DarkSide ransomware attack causing service outages and prompting customers to disconnect from its network to contain the malware. The attackers deployed Cobalt Strike beacons to gain remote access, leading to data exfiltration and ransomware deployment; while the company initially reported a malware incident without confirming ransomware, subsequent communications acknowledged the attack and indicated potential unauthorized access to unencrypted files prior to encryption. The breach disrupted customer portal functionality, preventing ticket submissions, though the firm asserted no evidence of malware spreading to client systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
CompuCom, a US-based managed service provider (MSP) and subsidiary of The ODP Corporation, experienced a significant cybersecurity incident on or around February 28, 2021, confirmed as a DarkSide ransomware attack. The breach caused service disruptions, including outages affecting CompuCom’s customer portal, which displayed generic error messages preventing clients from submitting troubleshooting tickets. Over the following weekend, the company proactively notified customers of a malware-related incident but initially withheld specifics regarding ransomware involvement or potential data compromise. CompuCom’s public statement emphasized no evidence of malware spreading to customer systems, though the incident prompted some clients to disconnect from the MSP’s network preemptively. Internal systems were compromised, with threat actors deploying ransomware payloads after establishing persistent access. The attack impacted operational continuity for CompuCom, which supports approximately 8,000 employees and serves high-profile clients such as Home Depot, Target, Citibank, Wells Fargo, Truist Bank, and Lowe’s.
Further details emerged through a customer-facing FAQ, revealing that attackers first infiltrated CompuCom’s network using Cobalt Strike beacons—tools enabling remote command-and-control—to facilitate lateral movement and data exfiltration. The ransomware was deployed on February 28, encrypting devices within CompuCom’s environment. DarkSide’s involvement suggested probable theft of unencrypted files prior to encryption, aligning with the group’s double-extortion tactics. CompuCom’s communications evolved from initially vague references to a “malware incident” to explicit acknowledgment of ransomware in the FAQ, though the company maintained no evidence of customer system compromises. The incident underscored risks inherent to MSP supply chains, given CompuCom’s role in providing remote support, hardware repairs, and software services to enterprise clients. Operational disruptions persisted during the initial response phase, with recovery efforts focused on restoring portal functionality and containing the attack’s propagation.