Cyber Incident Victim: Vhive
Date:
Mar 2021
Location:
Singapore
Summary
A Singaporean retail furniture chain experienced a cybersecurity breach involving unauthorized access to its systems by the ALTDOS threat group, employing a double extortion strategy. The compromise exposed over 300,000 customer records alongside transactional and payment documentation, though national identification numbers and financial data were reportedly unaffected. Following initial network intrusion, the organization restored operations using backups but allegedly failed to address critical vulnerabilities, enabling subsequent attacks that included data exfiltration of source code and server file encryption. The threat actors demonstrated proof of compromise through video evidence of directory access and redacted database records, with encryption methods potentially involving AES-256 rather than traditional ransomware payloads.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On March 21, 2021, threat actors from the ALTDOS group initiated a cyberattack against Vhive, a Singapore-based retail furniture chain, by compromising the company’s public-facing website domain, vhive.com.sg. The attackers escalated their access on March 22 by breaching Vhive’s private network server. Vhive responded by restoring its systems using backups on March 23, but ALTDOS claimed the company failed to address critical vulnerabilities, enabling further intrusions. On March 25, the threat actors executed additional attacks, downloading source code and company files before encrypting all server files with ransomware. ALTDOS described the encryption method as AES 256, consistent with their prior avoidance of conventional ransomware tools. The attack followed a double extortion model, combining data theft with system encryption. ALTDOS exfiltrated over 300,000 customer records from the "systemv" database’s "customer" table, alongside transaction and payment records. As evidence, they provided unredacted screen recordings and screenshots of directory traversals and database tables, later partially redacted by media outlets to protect customer information.
Vhive publicly disclosed the incident on March 29, 2021, via its website and Facebook page, confirming unauthorized access but asserting that no NRIC numbers, financial information, or credit card data were compromised. The company did not specify detection methods or containment steps beyond the backup restoration. ALTDOS’s actions exposed customer names, addresses, and mobile phone numbers, though no public data leaks or ransom demands were explicitly documented in available reports. The breach disrupted Vhive’s operations temporarily, particularly between March 21 and 25, as attackers repeatedly accessed systems after the initial restoration. No third-party forensic analysis or regulatory penalties were cited in the source material. Vhive’s notification focused on assuring customers about the exclusion of highly sensitive data, while the attackers emphasized the scale of exfiltrated records and persistent network vulnerabilities.