By, now, there’s been a lot of buzz by some claims made by RansomedVC on their leak site and on their Telegram channel.
In their post this afternoon, RansomedVC claimed that (1) Rob Lee of Dragos somehow cheated someone called “fooble,” and as a result, (2) RansomedVC was going to leak files that Lee had allegedly bought to try to woo Colonial Pipeline away from Accenture and to Dragos.
(Is your head spinning already? Sit down, because (3) will be even worse). On their Telegram channel, RansomedVC claimed that, “We have successfully taken control of the systems of colonial pipeline.”
So if you’re keeping score, Rob Lee, the CEO of Dragos, is allegedly a cheating threat actor, files were being leaked in revenge for him cheating “fooble,” and Colonial Pipeline’s systems are under RansomedVC’s control.
None of it is appears to be true. DataBreaches followed up by asking RansomedVC and an associate numerous questions. In the course of answering those questions, some of their earlier claims were withdrawn and others were clarified.
Let’s start with their claim that Robert Lee of Dragos cheated “fooble.” When DataBreaches asked how he allegedly cheated fooble, RansomedVC’s spokesperson answered, “Rob Lee randomly stopped doing business with him and stopped communicating with us, but he was still working with other IAB’s.” DataBreaches followed up by pointing out that “stopped doing business” with someone is not the same as cheating them and this sounded like spite for loss of business rather than actually being cheated (if Lee was ever doing business to them with begin with, and DataBreaches has seen no proof of that). RansomedVC’s only answer was, “he was meant to pay for other files that were discussed e.g. Socalgas,” and “we agreed prices too.” That still would not be “cheating” in DataBreaches’ dictionary.
And if you’re confused as to how all that related to Colonial Pipeline getting hacked or their systems taken over by RansomedVC, well, so was DataBreaches, and we put the question to RansomedVC: “Who got hacked? Colonial Pipeline, Dragos, or Accenture? And if this wasn’t a hack, what was it?” RansomedVC answered, “Accenture (was hacked), but Rob (Lee) bought the files as leverage to poach Colonial Pipeline from Accenture.” In response to a follow-up query, he claimed that Accenture was hacked within the past few days and access was acquired by phishing logins. “Fooble had accenture creds to mr dudek from acceenture,” he wrote in our Telegram exchange.
But if it was Accenture that was hacked, then how did they allegedly take over Colonial Pipeline’s systems? Well, it turns out they hadn’t, of course, and when asked about that claim, RansomedVC’s spokesperson immediately told DataBreaches, “Inaccurate statement, apologies. Only files were taken.” They subsequently edited their Telegram post.
So what kind of data did RansomedVC leak? As others may have noted by now, the data leak included many files from Accenture and files from Colonial Pipeline, but the majority of files that DataBreaches skimmed were from before or around the time that DarkSide attacked Colonial Pipeline. When asked directly if the data in the leak were from the DarkSide hack, RansomedVC said no, the data were from Accenture and some files were recent. DataBreaches did spot two threat vulnerability management documents that appear to have been modified in 2022, but that was only one small folder and many files appeared to be from prior to the DarkSide hack.
In response to RansomedVC’s original claims, Colonial Pipeline sent DataBreaches the following statement:
Colonial Pipeline is aware of unsubstantiated claims posted to an online forum that its system has been compromised by an unknown party. After working with our security and technology teams, as well as our partners at CISA, we can confirm that there has been no disruption to pipeline operations and our system is secure at this time. Files that were posted online initially appear to be part of a third-party data breach unrelated to Colonial Pipeline.
DataBreaches notes that Colonial Pipeline is not denying the authenticity of files with their letterhead, etc. They are are only stating that the files were not exfiltrated from their system by an unknown party recently.
Could RansomedVC have been telling the truth in claiming that it was Accenture that was hacked recently? DataBreaches reached out to Accenture to ask them if they could confirm or refute RansomedVC’s claims that Accenture had been hacked several days ago by using Dudek’s login credentials. A spokesperson responded that they have no evidence that there has been any unauthorized access to Accenture’s system in the past week via phished login credentials or other means and they could find no confirmation of RansomedVC’s claims.
Dragos was also sent inquiries about RansomedVC’s claims. No reply has been received from them, but on Twitter, Rob Lee, the target of RansomedVC’s smear attempts, tweeted:
PSA: Criminal groups lie. Yes even, and especially, ransomware group ones. Exhau
He also posted on Linkedin:
A criminal is posting that a gas company has been ransomed and included my name in it all to try to get a reputation boost. Pretty confident the gas company wasn’t ransomed and 100% positive I wasn’t involved in any capacity to include the incident response. Criminals lie, even and especially ransomware groups. It’s an extortion tactic on reputation harm. Make sure you validate things before jumping to conclusions.
According to RansomedVC’s statements to DataBreaches, there was no ransom demand made of Colonial Pipeline because the files were sold to Rob Lee. This, of course, totally contradicts their claim on their Telegram account that they were leaking Colonial Pipeline’s files because “As they dont wanna pay, it seems we should share it with our beloved friends,” but Rob Lee was apparently correct in feeling confident that the company wasn’t ransomed.
As best as DataBreaches can tell at this point, files from Accenture and Pipeline have been leaked by threat actors who claim they didn’t really try to extort either firm, and they’re really mad at Rob Lee. If they didn’t try to extort Accenture or Pipeline or Dragos, is this whole thing really about trying to destroy Rob Lee’s reputation? If so, it is likely an exercise in futility.
Update 1: RansomedVC has posted what they claim is proof of the Accenture breach. The images depict what appears to be access to Accenture employee Marian Dudek’s Microsoft 365 account, supporting their claim that Accenture was breached. The spokesperson who called DataBreaches last night had told this site that they had no idea who Dudek was. It’s clear from the LinkedIn profile that he exists, has been employed by Accenture since 2013, and is a Principal Director. RansomedVC also continues to make claims about Rob Lee and threatens to reveal emails of his if he does not admit to what they consider his wrongdoing. It’s unfortunate and unpleasant when those in cybersecurity and threat intel get targeted by threat actors who try to harm their reputation. We’ve seen it before and unfortunately, we seem to be seeing it again.
Update 2: Dragos has sent DataBreaches the following statement:
We’ve seen the claims and they’re obviously false. Our CEO was not only not involved but obviously never purchased the data, tried to use it, or anything else the criminal is claiming. This behavior is disgusting but isn’t new and continued harassment of cyber security professionals countering criminals is unfortunately the new norm.”