Hackers Taunt Western Digital for Poor Cybersecurity

Hard drive giant Western Digital suffered a cyberattack on March 26 wherein hackers breached internal networks and stole ten terabytes of company data. No ransomware was installed, and no files were encrypted, though the hackers attempted to negotiate a ransom of eight figures in exchange for simply not releasing Western Digital's private data to the public. In response, Western Digital was forced to shut down its cloud service offerings for two weeks, while the company scrambled to assess the situation.

"Upon discovery of the incident, the Company implemented incident response efforts and initiated an investigation with the assistance of leading outside security and forensic experts," reads a disclosure released by Western Digital.

When a company discovers that they have been breached, one of the first things they need to do is learn how the intruders were able to gain access, so that they can close such channels. However, this process takes time, and allows the intruders to continue with their attack, even after the attack has been detected by the company. How the company responds to threats made by the intruders at the point of compromise often dictates how lenient the attackers will be in the latter stages of the attack.

In this instance, Western Digital chose not to pay the ransom, and additionally chose to refuse to have any level of conversation with the hackers. "I want to give them a chance to pay, but our callers, they have called them many times. They don't answer, and if they do, they listen and hang up," said a member of ALPHV.

A message issuing a further warning appeared on the ALPHV noticeboard on April 18, informing Western Digital that ALPHV would "[hurt] them until they cannot stand it anymore", and telling them to "consider this our final warning".

ALPHV has subsequently published 29 screenshots of internal emails and video conferences at Western Digital, indicating that they still have access to the Western Digital servers. Not only that, but the hacking group also shared files that were digitally signed with Western Digital's code-signing keys, which would essentially allow them to release malware under Western Digital's name.

One of the leaked images is that of an internal email communique telling Western Digital staff not to leak information about the attack to the press. However, the fact that ALPHV continues to have internal access to the company network makes this a moot point. Most companies are woefully unprepared for a cybersecurity incident, and Western Digital's response shows that further cybersecurity training is needed.