Cyber Incident Victim: Our Sunday Visitor

On or around April 29, 2023, the data extortion group Karakurt claimed an attack against Our Sunday Visitor, a Catholic publishing company. The organization, which began in 1912 as a parish news bulletin, had expanded into a publisher of newsletters, religious books, pamphlets, and a wide variety of other content for Catholics. Karakurt hackers claimed to have stolen 130 gigabytes of data from the company. The stolen information was alleged to include accounting documents, human resources information, employee data, financial contracts, invoices, and marketing information. The group listed the company on its data leak site the day after the attack was claimed, which was a Sunday.

Our Sunday Visitor’s chief marketing officer, Jim Weigert, confirmed that the company had recently discovered suspicious activity within its network. Upon making this discovery, the organization immediately took steps to secure its systems and launch a comprehensive investigation into the incident. The company engaged third-party cybersecurity experts to assist with the investigation and response. Law enforcement agencies were also notified of the breach. Throughout this process, the company's servers remained fully operational, indicating that the incident did not involve a ransomware deployment that encrypted systems and disrupted services. Weigert declined to answer specific questions regarding whether a ransom demand was issued by the attackers. He stated that the organization was committed to protecting the data trusted in its care and that it would continue to update its protocols to remain in line with industry best practices for data security.

Karakurt is a cybercrime group known for operating as a pure data extortion operation. The group eschews the use of ransomware and instead relies solely on the theft and threat of publishing sensitive data to pressure victims into paying a ransom. In August 2022, the group attacked the International Centre for Migration Policy Development, an NGO operating migration services and research in over 90 countries. The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Treasury Department issued a joint warning in 2022 that Karakurt was extorting victims for ransoms ranging from $25,000 to $13 million in bitcoin.

Multiple cybersecurity firms have published analyses drawing concrete ties between Karakurt and the infrastructure previously used by the now-defunct Conti ransomware gang. Reports from companies including Infinitum IT and Advanced Intelligence detailed links between the two groups' operations. Following the public release of large troves of internal Conti documents and chat logs, researchers identified numerous connections, leading Advanced Intelligence to assess that Karakurt operates as a side business for the core group behind Conti. This allows the actors to monetize data stolen during intrusions in cases where the victim organization is able to successfully block the subsequent deployment of ransomware, preventing encryption. Blockchain analysis firm Chainalysis also previously identified several cryptocurrency wallets controlled by Karakurt that sent funds to wallets associated with Conti, providing a financial link between the two entities. The Conti group itself had a prior history of targeting religious institutions, including an attack on a church in Texas in 2021.

The incident involving Our Sunday Visitor was notable as part of a broader trend observed that weekend, where two established cybercrime groups simultaneously targeted religious institutions. On the Saturday prior to the Karakurt claim, the LockBit ransomware group added Relentless Church, an evangelical megachurch based in South Carolina, to its victim list. LockBit claimed to have stolen employee data including passports and financial documents. This coordinated timing by two separate groups signaled a foray into a new target arena for gangs that typically focus their operations on corporations and government agencies.

Several cybersecurity experts commented on the unusual nature of these attacks, noting that while some groups have occasionally banned affiliates for targeting organizations considered off-limits, such as hospitals or nonprofits, these rules are often ignored or applied arbitrarily. An Emsisoft ransomware expert stated that most ransomware groups or hackers do not have explicit rules against attacking religious organizations, and even if they did, their rules are primarily for public relations purposes and are routinely ignored. A Recorded Future ransomware expert noted that most groups likely avoid targeting individual churches for financial reasons rather than moral ones, as there typically is not much money to be extracted unless the target is a very large megachurch. The expert referenced a previous run of attacks on churches by the group known as Pysa, which listed five churches on its extortion site between February and November of 2021, including an attack on the Salvation Army.

The impact of the Karakurt attack on Our Sunday Visitor centered on the potential exposure of a significant volume of sensitive internal data. The claimed theft of 130 gigabytes of information encompassed a broad spectrum of corporate data, including employee personal information, financial records, and internal business communications. The publication of such data could lead to privacy violations for employees, financial fraud, and reputational damage to the publishing company. The organization's response focused on securing its systems, investigating the scope of the intrusion, and notifying the appropriate authorities. The full extent of any data exposure and whether any data was subsequently published by the threat actors was not publicly disclosed by the company following its initial statement.