The LockBit ransomware gang is claiming responsibility for the July cyberattack against cybersecurity giant Entrust, but with a twist — the group is also accusing its latest victim of a counterattack.
Entrust, which describes itself as a global leader in identities, payments and data protection, said in late July that an “unauthorized party” accessed parts of its network, but declined to describe the nature of the attack or say if customer data was stolen. Entrust’s customers include a number of U.S. government agencies, including the Homeland Security, the Department of Energy and the Treasury.
On Friday, LockBit, a prominent ransomware operation that’s previously claimed attacks on Foxconn and Accenture, took responsibility for the July cyberattack by adding Entrust to its dark web leak site. The gang began leaking the company’s internal data this weekend, suggesting Entrust may have refused to meet the group’s ransom demands.
But soon after, an apparent distributed denial of service (DDoS) attack forced LockBit’s dark web leak site offline.
Azim Shukuhi, a security researcher at Cisco’s Talos, cited a LockBit member going by the handle “LockBitSupp,” who claimed the site was receiving “400 requests a second from over 1,000 servers.” While the perpetrators of the DDoS attack remain unknown, the same LockBit member told Bleeping Computer that the attack “began immediately after the publication of data and negotiations,” and separately told malware research group VX-Underground that they believed the attack was launched by someone connected to Entrust, referencing junk internet traffic that said “DELETE_ENTRUSTCOM_MOTHERFUCKERS.”
LockBit’s site remains largely inaccessible Monday, but briefly showed a message warning that the gang plans to upload Entrust’s stolen data to peer-to-peer networks, making the data almost impossible to take down.
TechCrunch asked Entrust to confirm or deny any knowledge of, or any connection to, the DDoS attack. Ken Kadet, vice president of communications at Entrust, declined to respond to multiple emails sent prior to publication.
Offensive cyberattacks — or “hacking back” against cybercriminals, such as launching DDoS attacks against unwilling participants — are illegal under U.S. law and could be classified as a federal criminal offense under the Computer Fraud and Abuse Act. Hacking back has been subject to intense debate for years as a possible alternative to protecting U.S. companies from international threats, though critics say allowing private companies to engage in cyberwarfare risks escalating diplomatic tensions and destabilizing state relations.
Or, as one security researcher puts it: “The idea that a cybersecurity company would be yeeting a DDoS around would set a dangerous precedence [sic].”