The Hive ransomware group has claimed responsibility for the recent cyberattack on Tata Power, a leading Indian energy company, and has started leaking stolen employee data.
Tata Power, which serves more than 12 million customers through its distributors, confirmed on October 14 that it had been hit by a cyberattack that impacted some of its IT systems. “The company has taken steps to retrieve and restore the systems. All critical operational systems are functioning,” Tata Power said at the time, but did not confirm any specific details about the attack and its impact at the time.
Hive, the ransomware gang that recently hit the Costa Rican government, this week listed Tata Power on its dark web leak site, which it uses to publicize attacks and stolen data. The group claims it encrypted the company’s data on October 3, suggesting Tata Power may have known about the breach two weeks prior to its initial filing, according to the listing, which TechCrunch has seen.
The listing of stolen data suggests any negotiations to pay a ransom failed. This data, reviewed by TechCrunch, includes sensitive employee information, such as Aadhaar national identity card numbers, tax account numbers, salary information, home addresses and phone numbers. The leaked data, which was posted to Hive’s dark web leak site on October 24, also includes engineering drawings, financial and banking records, client records and some private keys.
“The leak has sensitive data but nothing that affects power grids,” Rahul Sasi, co-founder and CEO of threat intelligence firm CloudSEK, who also reviewed the leaked data, told TechCrunch. Sasi said that the group’s motivation appears to be purely financial.
TechCrunch contacted Tata Power but had not received a response at the time of publication.
The Hive ransomware gang has been active since mid-2021. The gang and its affiliates started targeting organizations that experienced high downtime costs, such as healthcare providers, energy providers and retailers. The group is known for its aggressive tactics and has been observed using methods such as “triple extortion,” whereby the attackers seek money not only from the organization that was first targeted but also from anyone who might be impacted by the disclosure of that organization’s data.
The attack on Tata Power is the latest in a series of attacks carried out by Hive. Last month, the group claimed an attack on the New York Racing Association just a few days after leaking data stolen from Bell Canada-owned subsidiary Bell Technical Solutions.