Full Report
A Brazilian citizen has been charged in the United States for allegedly threatening to release data stolen by hacking into a company's network in March 2020. Junior Barros De Oliveira, 29, of Curitiba, Brazil has been charged with four counts of extortionate threats involving information obtained from protected computers and four counts of threatening communications, the U.S. Department of
Analysis Summary
# Incident Report: Extortion Attempt Following Data Breach of Brazilian Subsidiary
## Executive Summary
A Brazilian national, Junior Barros De Oliveira, was charged in the US for orchestrating a data theft and subsequent extortion scheme targeting a Brazilian subsidiary of a New Jersey-based company. The attacker breached the company's network, stole confidential customer data belonging to approximately 300,000 customers over multiple intrusions, and later demanded $3.2 million in Bitcoin to prevent data leakage. The investigation and charges were initiated by US authorities following the extortion attempts in late 2020.
## Incident Details
- **Discovery Date:** Unknown (Extortion attempts began September 2020)
- **Incident Date:** Initial breach occurred in March 2020; Extortion attempts spanned September and October 2020.
- **Affected Organization:** A Brazilian subsidiary of a New Jersey-based company.
- **Sector:** Unspecified (Implied Technology/Service Provider given customer data compromise).
- **Geography:** Attack originated/perpetrator located in Brazil; Victim company based in the US/Brazil.
## Timeline of Events
### Initial Access
- **Date/Time:** March 2020
- **Vector:** Direct network breach of the victim company's computers.
- **Details:** The defendant (Junior Barros De Oliveira) gained unauthorized access to the victim's network.
### Lateral Movement
- **Details:** The attacker exploited the access to steal confidential customer information on at least three separate occasions following the initial breach.
### Data Exfiltration/Impact
- **Details:** Confidential customer information belonging to approximately 300,000 customers was stolen. The attacker threatened to release this data in September 2020.
### Detection & Response
- **How it was discovered:** The victim company likely became aware of the data theft after receiving the extortion demand via email in September 2020.
- **Response actions taken:** The DOJ unsealed an indictment against the defendant, leading to criminal charges for extortionate threats and threatening communications.
## Attack Methodology
- **Initial Access:** Network intrusion (details of the specific method, e.g., vulnerability exploitation or credential stuffing, are not specified).
- **Persistence:** Implied, as the attacker exfiltrated data on "at least three occasions" following the initial breach in March 2020.
- **Privilege Escalation:** Not explicitly detailed, but necessary to access and steal customer data.
- **Defense Evasion:** Not detailed regarding technical evasion during the intrusion phase.
- **Credential Access:** Not detailed.
- **Discovery:** Not detailed, though necessary to locate the customer database.
- **Lateral Movement:** Required to access and exfiltrate data from different parts of the network across multiple instances.
- **Collection:** Gathering confidential customer information from approximately 300,000 customers.
- **Exfiltration:** Uploading stolen data off the compromised network.
- **Impact:** Extortion and threats to publicly release stolen data.
## Impact Assessment
- **Financial:** Demand of 300 Bitcoin (approx. $3.2 million USD at the time of demand in September 2020). The attacker also offered "consulting services" for 75 Bitcoin (approx. $800,000 USD).
- **Data Breach:** Confidential customer information belonging to approximately 300,000 customers.
- **Operational:** Potential for severe operational disruption due to public data exposure if demands were not met.
- **Reputational:** Significant reputational damage stemming from the data breach and failed extortion attempt.
## Indicators of Compromise
*Note: The article does not provide specific technical IOCs, only behavioral ones.*
- **Network indicators:** Unknown (No IPs/URLs provided).
- **File indicators:** None provided.
- **Behavioral indicators:** Use of aliases in email communications; Demanding payment in Bitcoin; Offering follow-up "consulting" services for a fee post-initial threat.
## Response Actions
- **Containment measures:** Not specified, but assumed to involve segmenting the network and initiating forensic investigation following receipt of the extortion demand.
- **Eradication steps:** Not specified, but would involve removing the attacker's access and auditing for backdoors.
- **Recovery actions:** Not specified, but likely included notifying affected parties and enhancing network security posture.
## Lessons Learned
- **Key takeaways:** Attackers can maintain access over extended periods (March to September 2020) for repeated data exfiltration. Extortion threats often follow data theft, sometimes coupled with misleading "consulting" offers.
- **What could have been done better:** Immediate detection of initial access in March 2020 and prompt auditing after the first exfiltration event could have mitigated the total data loss.
## Recommendations
- Implement enhanced continuous monitoring to detect unauthorized data access and exfiltration, especially across multiple sessions (three occasions mentioned).
- Review and enforce strict access controls and segmentation to limit the scope of compromise following initial access.
- Establish robust protocols for handling extortion attempts, involving legal counsel and law enforcement immediately.