Cyber Incident Victim: UnitedLex

On or around April 4, 2023, the d0nut ransomware team publicly disclosed a cyber incident involving UnitedLex, a firm providing legal and operational consulting services. The threat actors contacted a data breach notification blog to announce they had successfully exfiltrated over 200 gigabytes of corporate data from UnitedLex's network. According to the threat actors' statement, the compromised data included a wide array of confidential files, such as documents related to payments, contracts, and other sensitive details pertaining to numerous organizations and individuals. The d0nut team demonstrated their access by providing specific examples of the data they had reviewed, which included continuing agreement contracts between Computer Science Corporation and AMEX dating from 1992 with an extension until January 2027, complete with service fee information. They also identified merger documents between Hewlett Packard and DXC Technology, the latter formerly known as Computer Science Corporation.

The threat actors engaged in negotiations with UnitedLex's top management. During these discussions, the d0nut spokesperson claimed to have learned that a significant portion of UnitedLex's funds were held at Silicon Valley Bank and that the company possessed cyber crime insurance coverage. The initial ransom demand from d0nut was stated to be $5 million. However, the threat actors asserted that through negotiations, they offered to accept a payment of $600,000, which they described as significantly lower than the company's insurance limit. According to d0nut, UnitedLex refused to utilize its insurance option for the ransom payment, and the negotiations ultimately fell apart. The threat actors also reported that UnitedLex detected the intrusion on the third day of their presence within the network. Despite this detection, the attackers claimed they were able to lock some servers, though they did not specify the exact number affected.

UnitedLex provided an official statement confirming they had recently discovered suspicious activity on their network. The company stated that it immediately initiated its incident response protocols upon discovery. This response included engaging third-party forensic experts to assist in determining the nature and scope of the activity. UnitedLex also notified the Federal Bureau of Investigation (FBI) of the incident. The company asserted that its systems were fully operational and that it had maintained constant communication with its customers and employees regarding the incident and the ongoing investigation.

Following the breakdown of negotiations, the d0nut team escalated their tactics by directly contacting UnitedLex's clients. They began with DXC Technology (DXC.com), sending an email to the company that referenced DXC's own data protection statements under the California Consumer Privacy Act (CCPA). The email attempted to extort DXC by offering to protect its data for a fee, threatening that a lack of response would be interpreted as an agreement to the threat actors freely processing the data. To substantiate their claim, d0nut provided a sample file uploaded to a file-sharing site. This sample contained 35 files, primarily PDF documents and a few Excel spreadsheets, all purportedly related to DXC Technology and exfiltrated from UnitedLex's systems.

The scope of the data breach was significant due to the nature of UnitedLex's business, which involves handling sensitive client information. A review of the leaked files indicated they contained a substantial amount of confidential and proprietary information. The data was not limited to corporate documents; personnel-related files were also identified within the exfiltrated data. The presence of this personal information would likely trigger data breach notification obligations under various U.S. state laws and European Union data protection regulations. The geographic spread of the data was also notable, with the threat actors and initial analysis identifying files originating from or related to Australia, Brazil, China, India, Indonesia, Israel, and Korea, indicating the international impact of the incident. While many of the files examined were dated from 2017, other files were more recent, dating to 2021, suggesting the compromised data spanned several years.

In a further development, the UnitedLex incident appeared on the data leak site of the BlackCat ransomware group, also known as ALPHV. This prompted inquiries into whether the data being leaked by d0nut was the same dataset being promoted by the BlackCat group, suggesting a potential connection or overlap between the two threat actor groups or a possible re-victimization. The full extent of the data exposed and the complete list of affected clients and individuals remained undetermined at the time of the initial reports, with the investigation likely requiring substantial time for UnitedLex and its forensic partners to complete the analysis and provide notifications to all impacted parties. The company's public response focused on assuring stakeholders of its operational status and its commitment to investigating the incident with the help of external experts and law enforcement.