Cyber Incident Victim: Coca-Cola
Date:
Apr 2022
Location:
United States of America
Summary
The Stormous ransomware gang claimed responsibility for breaching Coca-Cola, alleging theft of 161GB of data including administrative files, emails, passwords, and payment information, which they offered for sale on their dark web site for approximately $64,000 in Bitcoin. The victim initiated an investigation in collaboration with law enforcement, noting no confirmed operational impact at the time; Stormous had previously solicited target selection via a Telegram poll reflecting an anti-Western stance aligned with pro-Russian geopolitical motives, though their credibility remained unverified due to a lack of substantiated prior breaches.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On April 26, 2022, the Stormous ransomware gang publicly claimed responsibility for a cyberattack against the Coca-Cola Company, announcing the compromise of corporate servers and theft of approximately 161GB of data. The group disclosed the breach via its leak site and Telegram channel, revealing it had selected Coca-Cola as a target through a poll where followers voted on potential victims. Stormous advertised the stolen data for sale on a dark web marketplace, offering initial proof to prospective buyers and setting a ransom demand of 1.6467 Bitcoin (approximately $64,396.67). The gang categorized the files into 13 compressed archives containing administrative documents, email communications, password lists, account details, and payment information. Security analysts noted the unusually low ransom demand relative to Coca-Cola's corporate scale and highlighted Stormous's self-proclaimed alignment with Russian interests during the Ukraine invasion, mirroring Conti ransomware group's geopolitical stance. The group's Tor leak site became inaccessible shortly after the announcement, though the cause remained unspecified.
Coca-Cola confirmed awareness of the breach claims on the same day, initiating an internal investigation while coordinating with law enforcement agencies. The company stated its probe had not yet identified operational disruptions or verified the legitimacy of Stormous's data theft assertions. Stormous framed the attack as retaliation against Western entities, referencing prior unverified claims of breaching Epic Games and exfiltrating 200GB of user data. Cybersecurity observers noted inconsistencies in the group's operations, as Stormous did not deploy ransomware payloads to encrypt files but instead operated as a pure data extortion entity. The incident marked Stormous's first public data sale attempt following its emergence during the Russia-Ukraine conflict, though the group's limited history and unsubstantiated prior claims cast uncertainty on the attack's full scope. Coca-Cola maintained no evidence of data misuse or system compromise throughout its investigation.