Cyber Incident Victim: Flagship Group
Date:
Nov 2020
Location:
United Kingdom
Summary
Flagship Group, a British housing provider, experienced a ransomware attack attributed to the Sodinokibi/REvil gang, likely initiated through a phishing campaign. The incident compromised an on-premises data center, exposing personal data of staff and customers, though the attack was halted before further escalation. The organization engaged external cybersecurity experts, law enforcement, and national authorities while refraining from ransom negotiations. The attackers, known for data exfiltration and subsequent auctions of stolen information, did not receive payment, and regulatory bodies were notified of the breach. Operational disruptions occurred, but the full extent of data misuse remains unconfirmed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On November 1, 2020, Flagship Group, a social housing provider based in Norwich, England, experienced a cyberattack that compromised its systems. The organization confirmed the incident was caused by the Sodinokibi ransomware, also known as REvil, which infiltrated their infrastructure through a suspected phishing attack. The attack targeted Flagship's on-premises data center, leading to the encryption of systems and the compromise of personal data belonging to staff and customers. Flagship publicly disclosed the breach on November 5 via a statement on its partially disabled website, accompanied by an FAQ document detailing the incident's scope. The organization stated the attack was halted before it could fully propagate across their network, though specific technical containment measures were not disclosed. Flagship engaged a leading independent cybersecurity firm to investigate, alongside coordination with law enforcement and the UK's National Cyber Security Centre (NCSC). The company explicitly stated it did not communicate with the attackers and therefore had no knowledge of any ransom demand. The Information Commissioner's Office (ICO) was notified of the data breach in compliance with regulatory obligations.
The Sodinokibi/REvil ransomware gang, identified as the perpetrators, employed a double-extortion tactic involving both data encryption and exfiltration. This group was known to auction stolen data to other criminal entities if ransom demands were unmet, as demonstrated in prior incidents targeting other organizations. Flagship’s compromised data included sensitive staff and customer information, though the exact volume or specific data types were not detailed in public statements. The attack disrupted Flagship’s operational systems, necessitating the partial takedown of its public website during the response phase. No evidence suggested customer banking data was accessed, according to Flagship’s communications. The organization maintained that its incident response partners contained the attack swiftly, but full restoration timelines and operational recovery details were not publicly disclosed. The breach highlighted REvil’s continued focus on phishing as an initial access vector and its exploitation of on-premises infrastructure vulnerabilities. Flagship’s decision not to engage with the attackers aligned with broader advisories against paying ransoms due to REvil’s documented history of re-extorting victims despite receiving payments. The incident remained under investigation by cybersecurity professionals and authorities at the time of reporting.