Sando

Sando, also known as Multinational Construction Company Sando, operates as a construction firm headquartered in Singapore. The company engages in construction activities on an international scale, serving markets across multiple countries. Its multinational designation indicates a significant operational footprint extending beyond its Singapore base, likely involving large-scale infrastructure or building projects typical of major construction entities operating globally. The specific nature of its core products, services, or any specialised competencies beyond general construction is not detailed in the available information.

The organisation experienced a significant cybersecurity incident on August 23, 2022, involving a ransomware attack. Initially, the Hive ransomware group claimed responsibility for the attack and leaked a limited amount of stolen Sando data. Subsequently, a distinct extortion group identified as Donut Leaks published a substantially larger volume of data purportedly stolen from Sando. Donut Leaks operates Tor-based shaming blogs and data storage sites, utilizing File Browser software to expose compromised information. In this specific incident involving Sando, Donut Leaks released approximately 2.8 terabytes of data, which included information from Sando alongside data stolen from other victim organisations.

The involvement of Donut Leaks following Hive's initial claim suggests potential affiliations or collaborative data sharing between different cybercriminal groups. Analysis of the incident points to possible links between Donut Leaks and established ransomware operations such as Hive and Ragnar Locker. This pattern underscores the evolving threat landscape where stolen data can circulate among various threat actors employing different extortion tactics, even after an initial ransom demand might have been made or paid. The Sando incident serves as a clear example demonstrating that ransom payments do not guarantee prevention of further leaks or subsequent extortion demands by affiliated or separate criminal entities targeting the same victim organisation. The scale of the data leak highlights the severe impact ransomware and extortion attacks can have on multinational corporations.