Cyber Incident Victim: Compass Communications
Date:
Dec 2024
Location:
New Zealand
Summary
The telecommunications provider Compass Communications experienced a ransomware attack by the RA World group, resulting in the theft of 250GB of sensitive data including financial records, customer information, HR files, and project details. The attackers leaked a sample of the data as proof of compromise. The company detected the breach recently, engaged external security experts, and notified relevant authorities, acknowledging potential customer data exposure and committing to direct notifications for affected individuals. RA World employs a customized variant of Babuk ransomware, exploits misconfigured internet-facing devices for initial access, and has been associated with credential theft and lateral movement within networks, with researchers suggesting possible ties to the Chinese-linked threat actor Bronze Starlight.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around late November 2024, Compass Communications detected unauthorized access to its systems through security monitoring. The Auckland-based telecommunications provider engaged external security specialists and notified government authorities, including New Zealand’s Privacy Commissioner, following this discovery. The RA World ransomware gang subsequently listed Compass Communications on its darknet leak site by December 1, 2024, claiming responsibility for stealing 250 gigabytes of data. The compromised data included financial records, customer information, human resources documents, and details of ongoing company projects. RA World set a ransom deadline of January 1, 2025, though no specific ransom amount was disclosed. As proof of the breach, the threat actors published a 26.9-megabyte sample archive containing service agreements, financial statements, and customer banking details.
Compass Communications publicly confirmed the incident, stating its investigation remained ongoing but indicated some customer data had likely been accessed. The company committed to directly notifying impacted customers to address risks and provide support, while declining to disclose technical specifics of the attack or the identities of assisting organizations to avoid aiding the attackers. RA World, operating since at least April 2023, employed a customized variant of Babuk ransomware designed to preserve device functionality for communication via the qTox messaging app. Security researchers identified the group’s initial access vector as exploitation of misconfigured internet-facing devices, followed by credential theft and lateral movement within networks. Analysts from Palo Alto Networks’ Unit42 noted potential links between RA World and the Chinese threat actor Bronze Starlight. Compass Communications, a New Zealand-owned provider of broadband and mobile services with over 100 employees, emphasized its focus on resolving the incident while maintaining business operations established since 1995.