Cyber Incident Victim: ABX Express
Date:
Sep 2021
Location:
Malaysia
Summary
A cyberattack by the Desorden Group compromised a logistics subsidiary of Kerry Logistics, resulting in the theft of approximately 200 GB of sensitive data including tens of millions of customer records, financial information, corporate databases, and source code for applications and web services. The attackers infiltrated the victim's intranet via a front-facing server, deployed persistent access, and executed data exfiltration before wiping drives. The breach exposed personal data from e-commerce partners through shared supply chain systems and included over 15 million airway bill records containing sender and receiver details. Desorden attempted extortion, threatening to sell the data on black markets after receiving no response from the victim, and publicly listed a sample of stolen records. The parent company did not publicly acknowledge the incident during initial media outreach.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On September 23, 2021, the Desorden Group claimed responsibility for a cyberattack against ABX Express Enterprise, a Malaysian subsidiary of Kerry Logistics. The threat actors asserted they breached ABX’s intranet servers through a front-facing server, maintaining persistent access (APT) to exfiltrate over 200 gigabytes of data before wiping the compromised drives and leaving a breach notification on the servers. The stolen data reportedly included tens of millions of Malaysian customers’ personal information, with a specific airway bill database containing over 15 million records detailing both sender and receiver information. Additional compromised databases allegedly held financial records, corporate documents, and customer data from e-commerce partners such as Lazada and Shopee, whose shopper information was shared with ABX for delivery logistics. Desorden also stole source code files for ABX’s applications and individual web services. As proof, the group provided journalists with two files uploaded to a file-sharing service: one displaying directory structures from drives C, D, and E, and another containing a shipping order report. At the time of reporting, ABX’s website showed no maintenance notices, and attempts by journalists to contact ABX via email and web form were unsuccessful, with emails bouncing back as potential spam.
Desorden Group publicly listed samples of the stolen data—including 100,000 airway bills—on a cybercrime forum, threatening to sell the full dataset on the black market if ABX failed to pay. The group identified itself as reformed associates of the Chaos collective, rebranding as “Chaos & Disorder” with a stated focus on disrupting supply chains and public services to amplify collateral damage. They claimed ABX had partially restored operations using backups for source code recovery but was still rebuilding databases. Kerry Logistics, ABX’s parent company, acknowledged but did not substantively respond to media inquiries about the breach by the time of initial reporting. Desorden emphasized that ABX had not engaged with their ransom demands or breach notifications, contrasting this with an ongoing negotiation involving an unnamed Italian automotive supply chain victim. The incident exposed sensitive customer data across multiple e-commerce platforms due to ABX’s logistics partnerships, though full operational and financial impacts remained unconfirmed by official sources.