Cyber Incident Victim: HTC Global Services

On or around November 1, 2023, HTC Global Services experienced a cybersecurity incident. The company, an IT services and business consulting firm offering technology and business services to the healthcare, automotive, manufacturing, and financial industries, publicly acknowledged the event through a brief announcement posted on its official X account. The statement confirmed the cybersecurity incident and noted that the internal team was actively investigating and addressing the situation to ensure the security and integrity of user data. HTC stated it had enlisted cybersecurity experts and was working to resolve the incident, emphasizing that user trust was its priority. This public confirmation followed the appearance of HTC Global Services on the data leak site operated by the ALPHV ransomware gang, also known as BlackCat.

The ALPHV ransomware gang listed HTC on its extortion platform and published screenshots of data allegedly stolen from the company during the attack. The leaked data samples included various types of sensitive information, such as passports, contact lists, emails, and confidential documents. This public leaking of data by the threat actor indicated that the incident involved a breach of confidentiality and potential data theft. While HTC's initial statement did not provide specific details regarding the attack vector or the full scope of the compromise, external analysis from the cybersecurity community provided further insight into the potential cause of the breach.

According to cybersecurity professional Kevin Beaumont, the initial compromise of HTC Global Services' network was likely achieved through the exploitation of a known vulnerability designated as Citrix Bleed. This vulnerability affects Citrix NetScaler application delivery control and gateway devices. Beaumont's analysis suggested that a specific business unit within HTC, identified as CareTech, was operating a vulnerable Citrix NetScaler device that was exploited by the threat actors to gain initial access to the corporate network. This method of initial access has been widely exploited by numerous threat groups following the public disclosure of the vulnerability and the release of proof-of-concept exploit code.

The ALPHV/BlackCat ransomware operation is a prominent ransomware-as-a-service group that first launched in November 2021. It is widely believed by security researchers to be a rebrand of earlier operations known as DarkSide and BlackMatter. The group, particularly in its prior incarnation as DarkSide, gained significant international notoriety after executing an attack on Colonial Pipeline, which led to substantial disruptions and intensified global law enforcement scrutiny. The group is known for consistently targeting large, global enterprises and for continuously adapting and refining its tactics to maximize impact and extortion payouts. The group employs a double-extortion model, stealing sensitive data before encrypting files and then threatening to publish the stolen data if a ransom is not paid.

The attack on HTC Global Services was part of a noted surge in activity by the ALPHV operation during this time period. The group's affiliates were responsible for several high-profile attacks on critical infrastructure and large corporations. In one contemporaneous incident, a group of English-speaking affiliates tracked as Scattered Spider, who worked with ALPHV, claimed responsibility for a major attack on MGM Resorts, which involved the encryption of over 100 ESXi hypervisors. Another ALPHV affiliate separately claimed to have stolen data from the financial automation company Tipalti. The group also recently attacked a publicly owned U.S. electricity provider and a hospital network, both classified as critical infrastructure. These attacks on critical infrastructure sectors were expected to lead to increased scrutiny from U.S. law enforcement agencies.

HTC Global Services' response involved an internal investigation and the engagement of external cybersecurity experts to assist in managing the incident and working towards its resolution. The company's primary stated focus was on ensuring the security and integrity of user data. The public confirmation of the attack was made only after the ransomware gang had already listed the company and begun leaking samples of the stolen data, indicating that the internal investigation may have been ongoing prior to public disclosure. The full impact of the incident, including the exact number of individuals or clients affected and whether any systems were encrypted, was not detailed in the available public statements from the company. The confirmed consequences included the theft of sensitive company data, which was subsequently leaked online, potentially exposing personal identifiable information and confidential business documents. The reputational impact of the attack and the subsequent data leak was a significant concern for the managed service provider, whose business is built on client trust. The incident demonstrated the continued targeting of IT and managed service providers by sophisticated ransomware groups due to the potential access they provide to the networks of their numerous clients across various industries.