Montreal’s tourism agency has acknowledged it was hit by a cyber attack early last month, one of a number of recent Canadian and American victim organizations claimed by the Karakurt hacking group.
“Tourisme Montréal can confirm that it became aware of a cybersecurity incident that we experienced on December 7th, ” Francis Bouchard, the agency’s manager of corporate communications and public affairs, said in a statement on Tuesday.
“We immediately retained security experts to investigate this matter further and ensure the integrity and security of our systems.”
The investigation is ongoing, he added, including identifying what data may have been affected. Employees and agency partners have been notified, he added.
Bouchard wouldn’t say how the agency was compromised, whether the stolen data had personally-identifiable information, or what the attacker was asking for.
Tourisme Montréal (known in English as Visit Montreal) represents 900 members, partners and tourism industry stakeholders to promote the city.
Bouchard’s statement comes after a hacking group called Karakurt listed Visit Montreal in a December 29th posting as one of 11 organizations allegedly recently compromised.
They include a Quebec construction firm, a Quebec-based bathroom designer, a Canadian First Nation, a Western Canadian data management firm, and a Western Canadian-based heavy equipment manufacturer. ITWorldCanada.com is attempting to verify those claims. Alleged victims in the U.S. include a credit union, a human resources firm, an asphalt manufacturer and a digital media company.
The Karakurt posting, dubbed its Winter Data Leak Digest, says “the data amount we have obtained is speaking for itself. Which means there is a big hole in IT department that allowed us to exfiltrate everything we wanted.”
According to Accenture, Karakurt is a financially motivated threat group that was first spotted last June and started ramping up attacks late in the third quarter. It claims to have hit over 40 victims across multiple industries between September and November alone.
Unlike most ransomware attacks that encrypt data, Accenture says Karakurt focuses solely on data exfiltration and extortion, threatening to release or sell stolen data unless it is paid.
While the gang varies its tactics depending on the victim, Accenture says it often uses a “living off the land” approach — meaning it takes advantage of tools and weaknesses in a victim’s IT environment — and often avoids the use of common post-exploitation tools like Cobalt Strike.
If the exfiltration-only model proves successful, Callow believes more gangs will adopt it this year, because it’s less risky than traditional encryption-based attacks. “They can still extort money, but likely perceive there to be less risk of attracting the attention of international law enforcement as their attacks will not disrupt the flow of oil or the provision of healthcare,” he said.