Full Report
Acer has confirmed a 60GB data breach resulting from a cyber attack on its Indian offices - the second major breach to affect the global hardware and electronics company this year.
Analysis Summary
# Incident Report: Desorden Attack on Acer India and Subsequent Breaches
## Executive Summary
In October 2021, Acer India experienced a significant data breach attributed to the hacker group Desorden, immediately following a $50 million ransomware attack earlier that year. Desorden claimed access to 60GB of data, including sensitive customer and retailer credentials. Subsequent investigation indicated the attackers also targeted Acer's servers in Taiwan, Malaysia, and Indonesia, demonstrating systemic vulnerabilities in Acer's security posture.
## Incident Details
- Discovery Date: October 13, 2021 (Reported by *Privacy Affairs*)
- Incident Date: Initial attack on Acer India servers occurred around October 5, 2021.
- Affected Organization: Acer (Specifically Acer India, with expansion to Taiwan, Malaysia, and Indonesia servers confirmed later).
- Sector: Hardware and Electronics Manufacturing
- Geography: India (Primary focus), Taiwan, Malaysia, Indonesia (Subsequent targets)
## Timeline of Events
### Initial Access
- **Date/Time:** On or around October 5, 2021
- **Vector:** Exploitation of existing vulnerabilities on Acer India’s servers.
- **Details:** Attack executed by the Desorden hacker group.
### Lateral Movement
- **Date/Time:** Post October 5, 2021 (leading to escalation by October 16, 2021)
- **Details:** Desorden subsequently breached Acer’s Taiwan server and identified vulnerabilities on Malaysian and Indonesian servers, indicating potential broad network access or repeated access attempts leveraging identified weaknesses.
### Data Exfiltration/Impact
- **Date/Time:** Ongoing until discovery/public disclosure.
- **Details:** 60GB of data compromised from Indian servers, including individual customer information, corporate customer data, financial data, and over 3,000 retailer/distributor login credentials. On the Taiwan server, employee details and potentially administrative panel hashes were exfiltrated. Desorden threatened to release several million customer records pending payment.
### Detection & Response
- **Date/Time:** October 13, 2021 (Initial Breach Reported) / October 16, 2021 (Taiwan breach reported).
- **Details:** Acer acknowledged the incident as an "isolated attack" and claimed security protocols were in place. Response actions were not detailed beyond this acknowledgment, suggesting potential underestimation of the scope.
## Attack Methodology
- **Initial Access:** Exploiting undisclosed vulnerabilities on Acer India's servers.
- **Persistence:** Not explicitly detailed, but the sustained ability to pivot to other geographic servers suggests established persistence mechanisms or successful reuse of initial access credentials/techniques.
- **Privilege Escalation:** Sample cache released included passwords for internal admin panels, indicating successful escalation to gain administrative network view.
- **Defense Evasion:** Not detailed, but the attackers operated long enough to steal significant data (60GB) and move across multiple geographic servers.
- **Credential Access:** Direct theft of login credentials for 3,000+ Acer retailers and distributors in India.
- **Discovery:** Implied local reconnaissance was performed to identify targets (employee data on Taiwan server).
- **Lateral Movement:** Successful transition to target Acer servers in Taiwan, identifying further vulnerabilities in Malaysia and Indonesia.
- **Collection:** Gathering sensitive files related to customers, financials, retailers, and employee details.
- **Exfiltration:** Data was exfiltrated, with a portion released as a "sneak peak" to demand payment.
- **Impact:** Compromise of sensitive corporate, customer, and privileged access data.
## Impact Assessment
- **Financial:** Motive revealed as financial gain (extortion threat). Followed closely after a $50 million ransomware attack, increasing financial strain.
- **Data Breach:** 60GB of data compromised from India servers. Data included PII of over 10,000 individuals, corporate client data, financial data, and credentials for 3,000+ retailers/distributors.
- **Operational:** Disruption inferred due to the necessity of investigating simultaneous breaches across multiple international servers.
- **Reputational:** Negative exposure due to being hit by a second major breach in the same year, leading Desorden to publicly criticize Acer's poor data security practices.
## Indicators of Compromise
*(Note: Specific IoCs are not provided in the source text, so general categories are listed based on threat actor activity.)*
- **Network indicators:** (None provided; potentially C2 domains associated with Desorden)
- **File indicators:** (None provided; sample cache of Taiwan data shared)
- **Behavioral indicators:** Unauthorized access to admin panels; repeated data collection across international assets following initial compromise (e.g., pivoting from India to Taiwan).
## Response Actions
- **Containment:** Acer acknowledged the incident and stated security protocols were being followed, implying internal isolation efforts began after the October 13 report.
- **Eradication:** Not detailed, but would require comprehensive password resets for all affected services and patch deployment based on the exploited vulnerabilities in India and Taiwan.
- **Recovery:** Not detailed, but involved restoring or securing systems across multiple international locations.
## Lessons Learned
- Acer exhibited systemic and repeatable vulnerabilities across multiple international server environments, contradicting their claim of an "isolated attack."
- The proximity of this breach to the March 2021 ransomware incident suggests fundamental failures in prioritizing and implementing network security improvements.
- The threat actor used the breach to publicly critique Acer’s inadequate data security practices for preventing breaches.
## Recommendations
- Conduct an immediate, comprehensive, third-party security audit across all geographically disparate servers (India, Taiwan, Malaysia, Indonesia) to identify and remediate baseline configuration errors or unpatched vulnerabilities.
- Implement multi-factor authentication (MFA) universally, especially for retailer/distributor access paths and administrative panels.
- Review and enhance data segregation protocols between regional offices to prevent access gained in one region from leading to compromise in others.