Cyber Incident Victim: LineStar Integrity Services
Date:
Apr 2021
Location:
United States of America
Summary
A ransomware group known as Xing Team compromised LineStar Integrity Services, a pipeline technology and services provider, stealing approximately 70GB of internal data including emails, contracts, software code, and sensitive employee HR documents. The attackers leaked unredacted files on the dark web, posing risks of follow-on targeting of pipeline infrastructure through exposed operational or technical details, though the breach did not disrupt company or customer operations. Distributed Denial of Secrets (DDoSecrets) published a redacted subset of the data, withholding software vulnerabilities and personally identifiable information to mitigate harm. The victim engaged third-party IT experts and law enforcement, notifying employees of potential personal data exposure while disputing comparisons to other pipeline incidents. The incident highlighted broader concerns about ransomware groups indiscriminately targeting critical infrastructure sectors.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In late April 2021, LineStar Integrity Services, a Houston-based provider of auditing, compliance, maintenance, and technology services to pipeline operators, experienced a ransomware attack by the group Xing Team. The attackers exfiltrated approximately 70 gigabytes of internal corporate data, including 73,500 emails, accounting records, contracts, software code repositories (19GB), and human resources documents containing employee driver’s licenses and Social Security cards (10GB). Xing Team subsequently leaked the stolen data on its dark web site, fulfilling its extortion threat after LineStar apparently declined to pay a ransom. The transparency collective Distributed Denial of Secrets (DDoSecrets) later republished 37GB of this data on its leak site, redacting software code and HR materials to mitigate potential exploitation risks, though unredacted files remained accessible elsewhere. Security researchers confirmed the authenticity of the leaked materials, which WIRED independently reviewed.
LineStar did not publicly disclose the breach until June 2021, when contacted by WIRED following DDoSecrets’ publication. The company’s CFO, Chris Boston, stated the attack targeted corporate data only, with no disruption to internal or customer operations. LineStar initiated response measures after the April incident, including employee notifications about potential personal data exposure, engagement of third-party IT forensic experts, and FBI involvement. Security analysts expressed concern that the leaked technical documents and contracts could facilitate follow-on attacks against LineStar’s pipeline industry clients by revealing network architectures, industrial control system details, or vendor relationships. Researchers identified Xing Team as a nascent ransomware group using rebranded Mount Locker malware, operating indiscriminately rather than targeting critical infrastructure specifically. The incident highlighted broader risks of ransomware data leaks enabling reconnaissance for spearphishing campaigns across interconnected supply chains, particularly within energy sectors already under scrutiny after Colonial Pipeline’s high-profile attack weeks earlier.