Cyber Incident Victim: CIS
Date:
Jun 2023
Location:
Japan
Summary
A cybersecurity incident involved unauthorized external access to a server via ransomware, which encrypted internal data. The attack resulted in the confirmed exfiltration of personal and corporate information held by the victim, CIS. In response, all servers and client devices were disconnected from internal and external networks to contain the breach. The full scope of the incident was not immediately determined, as the investigation was expected to require further time.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 25, 2023, during the late-night hours Japan Standard Time, an incident was detected at Corporation CIS (CIS). The company confirmed that a portion of its servers had been encrypted, identifying the event as a ransomware attack. The organization immediately initiated an investigation to assess the damage and understand the scope of the compromise. This investigation revealed that the encryption was the result of a successful ransomware infection and that the systems had been subjected to unauthorized access from an external third party. By June 27, 2023, the ongoing investigation confirmed a significant secondary impact: data exfiltration had occurred. The company verified that some of its stored data, which included both personal information and corporate information, had been transferred externally, leading to a confirmed data breach alongside the ransomware encryption.
In direct response to the attack, Corporation CIS enacted extensive containment measures. All of the company's servers and client terminals were disconnected from both internal and external networks, and their use was completely halted. This action was taken to isolate the threat, prevent further lateral movement within the network, and stop any additional data loss. Despite this widespread internal network shutdown, the company's public-facing homepage and email systems remained operational and were not taken offline. This allowed for continued external communication while the internal investigation and recovery efforts proceeded.
The company formally disclosed the incident to the public on June 29, 2023. In its announcement, Corporation CIS issued a deep apology to its customers and related parties for the concern and inconvenience caused by the security breach. The disclosure confirmed the dual nature of the attack, encompassing both the ransomware encryption and the data leakage. To manage the incident response, a dedicated countermeasure headquarters was established. This team was tasked with the continuous work of understanding the full situation, investigating the extent of the impact, and leading recovery efforts.
Corporation CIS began the process of directly notifying affected customers and relevant organizations through its assigned personnel, proceeding with these communications sequentially. The company also stated that it was beginning to consider making reports and consulting with the police and other relevant authorities. At the time of the public announcement, the full scope of the damage had not been determined. The investigation into the complete extent of the data exposure and the specific timeline for full recovery was anticipated to require more time. The company stated that no impact had been confirmed at any of its group companies outside of the parent corporation itself. The primary focus remained on minimizing the ongoing inconvenience to all affected parties while continuing the detailed forensic investigation and restoration work. The public announcement provided specific contact channels for general inquiries regarding the incident directed to a dedicated email address, as well as a separate point of contact for members of the press.