Toll Group cyber attack of May 5, 2020 results in a compromised corporate server and employee data leak. Ransomware operators stole 200 GB of data. They leak part of the data to public in the dark web. Toll Group experienced a similar ransomware attack on February 3, 2020.
Toll Group ransomware attack in May 2020
On May 5, 2020 Toll Group disclosed a ransomware attack on its IT systems. The data breach leaked 200 GB of Toll Group data. Toll Group is a Japan Post Holdings subsidiary. The group operates in 50 countries with more than 1,200 locations and 40,000 employees.
1. Cyber attack impact on Toll’s business
Freight shipments were largely unaffected and parcel deliveries were running essentially to schedule based on normal pick-up and delivery processes. However, parcel tracking and tracing through the MyToll portal remained offline. Toll prioritised movement of essential items was. They include medical and healthcare supplies, in particular running charter flights from China.
On May 7, 2020 Toll re-established external email into the company, and email access for Toll employees. By May 11, 2020 there were still delays in some parts of the Toll network, however, freight shipments and parcel deliveries were moving by and large as normal. Toll call centres took bookings over the phone. Toll confirmed restoration of email access for the rest of employees.
By May 29, 2020 Toll restored the key online systems, including MyToll. Track and Trace became available for a number of services. Toll uploaded historical data from backups. Toll also restored the disrupted CargoWise One access across Toll’s global network.
2. Toll response
Toll confirmed they had no intention of engaging with any ransom demands. They engaged the Australian Cyber Security Centre (ACSC) and Australian Federal Police (AFP) regarding the investigation and recovery process. Toll also contacted the customers impacted by the cyber attack.
Shortly after the data breach, Toll Group engaged the services of a leading provider of identity and cybersecurity solutions to provide support and data protection measures for the impacted people.
3. Data stolen from Toll
On May 12, 2020 Toll confirmed data theft following the targeted cyber attack. The attackers have accessed at least one specific corporate server. The data on this server contains information relating to some past and present Toll employees in certain countries in which Toll operates, including Australia and New Zealand. In particular, the leaked information includes:
- residential address,
- age or birthdate,
- payroll information, including salary, superannuation and tax file number.
It also includes details of commercial agreements with some of our current and former enterprise customers.
On May 20, 2020 the ransomware operators posted the first archive.
Thomas Knudsen, Toll Group managing director said cyber crime posed “an existential threat for organisations of all sizes, making it more important than ever for business, regulators and government to adopt a united effort in combatting the very real risk it presents the wider community”.
“We condemn in the strongest possible terms the actions of the perpetrators. This a serious and regrettable situation and we apologise unreservedly to those affected. I can assure our customers and employees that we’re doing all we can to get to the bottom of the situation and put in place the actions to rectify it”Thomas Knudsen, Toll Group Managing Director
The information relates to some current and former employees . The incident does not affect all Toll employees and, based on current findings, casual staff are not impacted.
4. Threat actors behind the Toll cyber attack
Toll confirmed the cyber attack and the data breach involved ransomware known as “Nefilim”. Nefilim ransomware exploits Remote Desktop Connections (RDP) to infiltrate the target system.
Nefilim uses the AES-128 encryption method to lock victim’s filed. The ransomware operators use double extortion. They demand ransom to decrypt the files, and also threaten to publish the data online.
As noted by Bleeping Computer, Netfilm doesn’t have a Ransomware-as-a-Service option (RaaS) and depends on email communication instead of Tor sites for collecting money.
Toll Group ransomware attack in February 2020
On January 31, 2020 Toll Group experienced a similar ransomware attack involving the “Mailto” ransomware, also known as “NetWalker: or “Kazakavkovkiz”. Toll confirmed the cybersecurity incident and isolated and disabled “some systems in order to limit the spread of the attack”.
“We moved quickly to mitigate the potential impact and we’re undertaking a detailed investigation with a view to restoring all of the relevant systems as soon as possible”TOLL GROUP
On February 6, 2020 Australian Cyber Security Centre (ACSC) confirmed it was aware of the ransomware incidents and specified that “Mailto belongs to the KoKo ransomware family”. They also provided recommendations for organizations. Mailto or NetWalker starts the encryption process instantly after infiltrating the system, unlike the Nefilim ransomware that could take months before executing the final attack.
It required Toll a few months to fully restore its operations. Toll had to to switch to manual processes from automated deliveries. It is reported, that Toll could not tell customers including Telstra, Optus and OfficeWorks where their parcels were. Some of the Toll clients had to make new commercial agreements with Toll’s rivals.