In the cyber attack on Continental, the hackers apparently not only captured a large amount of sensitive data, but also large amounts of it. This emerges from a list that the hackers have now published on their Darknet blog. The text file is 7.6 billion characters long, almost eight gigabytes in size and lists the storage paths of 55 million files. According to the hackers, these all come from Conti servers. The list includes, among other things, budget, investment and strategy plans, human resources documents and confidential documents and communication from the executive and supervisory boards. Correspondence from the head of the supervisory board, Wolfgang Reitzle, is apparently also affected. According to the list, the hackers also captured data related to customers, including car manufacturers Volkswagen, Mercedes and BMW. In the case of VW, for example, it is about specifications for software, control units as well as contract conditions and specifications.
Last week Continental confirmed information from the Handelsblatt that the “Lockbit 3.0” ransomware group stole a significant amount of the company’s data in August. According to corporate circles, it is a total of 40 terabytes. It is the first time that such a massive data theft has become known at a Dax group.
Continental declined to comment on the published list when asked. Lockbit put the Conti data for sale for 50 million US dollars at the end of last week after the supplier apparently did not want to pay the ransom. Lockbit only published data from the French armaments company Thales on Friday, which also did not want to pay.
chat log
In the alleged chat, the cybercriminals demand ransom from Continental for the 40 terabytes of data.
In August, Continental praised itself for its data protection: The security of the information of “employees, customers and partners as well as its own data” is of “great importance” for the company, according to a press release. A cyber attack was “identified and then averted”.
Two and a half months later, the group and its partners have to watch as their trade secrets possibly get out to the public. The list of hackers suggests that they have captured sensitive information about the automotive division, Continental’s most important business area.
Minutes of board meetings
The list contains e-mails with the subject of the division’s investment plan for the 2023 and 2024 financial years. And according to their file titles, two tables seem to show future planned price lists and stock levels. If such information becomes public, it could make Continental’s negotiations with suppliers and car manufacturers significantly more difficult.
Those documents that apparently come directly from the board of directors and the supervisory board are also likely to be sensitive. Apparently, the list contains minutes of supervisory board meetings as well as draft resolutions and presentations by the Conti board of directors for “business discussions” with the supervisory board.
Apparently, documents on strategy meetings between the Conti board and the head of the supervisory board, Wolfgang Reitzle, are also included. The hackers also probably captured a letter that chief controller Reitzle wrote to former Volkswagen boss Martin Winterkorn.
Elsewhere, a presentation appears that, according to its name, addresses the portfolio management of the Contitech industrial division. Many auto parts suppliers are currently selling off business units to finance their transformation. Contitech board member Philip Nelles had already indicated possible sales of such business areas in the industrial division in mid-2021. The captured files could now provide details about these discussions.
Numerous data from Volkswagen and Cariad
But it’s not just the internals of Conti that the hackers have apparently gotten their hands on. It is also explosive for Continental that partners now have to worry about their business secrets. Because the bag list also includes customer data from car manufacturers such as Porsche, BMW and Mercedes.
In the case of Volkswagen, there is a lot of data, for example so-called NDAs, i.e. non-disclosure agreements, with the software unit Cariad from July 2022. Technical concept drawings for Cariad are apparently also included.
Also included are alleged offers for special displays for a Volkswagen series that will only come onto the market in the future. A table with volume scenarios for this deal is also on the list. Another current file is titled “Cybersicherheit_Basic Requirements_VW”.
Numerous details from the cooperation between Continental and Volkswagen in the Chinese market can also be found, including specific contractual conditions. For Volkswagen, China is the most important sales market. Volkswagen initially left a short-term inquiry from the Handelsblatt unanswered. Mercedes and BMW declined to comment on the list.
Car customers are alarmed by the dimensions of the data leak. According to Conti corporate circles, various manufacturers and suppliers sent questionnaires to Continental in August. They asked the company to assess the risk of leaking confidential data on components, blueprints and software specifications to the cybercriminals.
Continental said in the August press release that it was “aware of its data protection obligations” and, in consultation with data protection authorities, was “taking the necessary steps to fully comply with them”. At the time, however, the company was apparently unaware that such an enormous amount of data had been lost.
Personnel files and health data of Conti employees
It was only at the beginning of November that the company publicly admitted that “the attackers were able to steal part of the data despite established security precautions”. This was the result of an internal investigation with the support of cyber experts, which is still ongoing. The public prosecutor’s office in Verden is also investigating.
The list that has now been published is sensitive not only for companies, but also for current and former Conti employees. The document apparently contains the titles of personnel files, documents on wage costs and Excel spreadsheets with addresses of employees. The list also contains a number of warnings with real names – among other things because of insufficient personnel management, physical attacks or the consumption of alcohol or drugs.
Employees now also have to watch how the cybercriminals want to monetize their health data. The data record contains, among other things, a statement from a company doctor about an employee who apparently has mental problems. Information about his downtime is apparently also part of the data set.
Lockbit is currently the most active ransomware group. With the list now up for sale, she probably wants to persuade Continental to pay a ransom for the data after all.
According to their own statements, the blackmailers tapped data from 160 companies in October alone. The group operates mainly from the Russian-speaking countries. In the case of Continental, it is unclear whether Lockbit gained access to the systems itself or whether someone with access data helped.
Lockbit is known for targeting corporate insiders. In return, the hackers promise them a share of the ransom.
In another prominent case, the hackers have already taken it seriously. The ransomware group released data from French defense company Thales on Friday. The arms manufacturer had also refused to pay the ransom. However, the data captured by Thales is apparently significantly less sensitive than in the Continental case.
More: Hackers put Conti Ultimatum up for sale for $50 million