Not only problems due to a cyber attack and the theft of almost 650 GB of data which took place between the end of August and the first days of last September. CyberOptics Corporation (CyberOptics), a Minneapolis, Minnesota-based multinational company that develops and manufactures high-precision 3D optical sensing technology solutions, may face lawsuits in the coming months related to Nordson Corporation’s (Nordson) acquisition of its corporate capital.
Some law firms, Weiss Law – Halper Sadeh, LLC – Brodsky & Smith, LLC – Monteverde & Associates PC, are investigating possible violations related to fiduciary duty and other violations of US federal and state laws. The investigations carried out by the law firms will serve to establish whether the price paid for each share ($ 54.00 in cash) should be considered satisfactory for CyberOptics shareholders.
Between the end of August and the beginning of September 2022, according to research carried out by SuspectFile, CyberOptics Corporation is hit by a cyber attack. A new ransomware group, SchoolBoysGang, manages to enter the IT systems of the American multinational after managing to exploit a server-side vulnerability thanks also to the poor protection of the network systems. This is one of many responses a gang member gave us via email
We used a popular vulnerability on their server at that time, their cybersecurity was at zero and we were very surprised by this.
SuspectFile was able to follow the negotiations between the person in charge of CyberOptics Corporation and a staff member of the SchoolBoysGang ransomware group from the very beginning, the chat started with a message sent by the negotiator of the American multinational
11 Oct – 09:04:00Hello, how do we decrypt data?
11 Oct – 09:54:15Hello. We will check your finance and get back to your with our demand shortly. Be in touch plz.
11 Oct – 10:03:22So, we have reviewed your finance and calculated the price for you. Therefore, decryption tool, permanent data deletion with deletion log as well as our recommendations on how you can improve and strengthen your system will cost you $1,900,000.We have uploaded all sources (NextGen, Flex, WaferSense) and other Intellectual Property. Currently we have full sharepoint dump, all User Folders, all important data from NAS’s, plenty of NDA’s and much much more other. Will provide you with a full listing of taken data soon.
12 Oct – 06:00:56how you do full sharepoint dump its totally imposible
12 Oct – 07:51:15* https://www.sendspace.com/file/[redacted]Pass for archive: X*lo7[redacted]We meant the most valuable information from the sharepoint, not full dump – it doesn’t make sense.
12 Oct – 07:51:17You have one day to review the listing and get back to us with a decision.
12 Oct – 07:57:13You can choose 2-4 files from the list and we will provide them as a proof. We will be able to decrypt one of your files for free also.
14 Oct – 15:53:38We are in process of verifying the list. It’s very large.We will be in touch with the files that we would like you to produce.
17 Oct – 07:42:19Hi! What stage are you currently at? We’d like to proceed further.
18 Oct – 08:36:21Got you. We will start notifying your employees first.
18 Oct – 08:39:40If you continue to be silent, it will not end well for you. Keep the dialogue otherwise we might think that you don’t want to cooperate and we will start looking for a buyer of your data, and the decryption keys will be deleted which will make the decryption process impossible forever. Think well about the consequences, we don’t want to cause you any trouble, but we really need the money and we will do anything for it, don’t even doubt.
18 Oct – 12:01:33Sorry for the delay. These are the files we are requesting to provide as proof.c:\cyberoptics\unzip\[redacted]\06 Project[redacted].xlsc:\cyberoptics\unzip\[redacted]\R&D[redacted].pdfc:\cyberoptics\unzip\[redacted]\8001566_BUILD_[redacted].pdfc:\cyberoptics\unzip\[redacted]\release_notes.htmc:\cyberoptics\unzip\[redacted]\Grab_[redacted].pdf
The following day, the cybercriminals upload the 5 files requested by the victim to sendspace.com and set the day by which CyberOptics must give answers regarding the payment of the ransom
19 Oct – 04:21:36Your deadline is Friday, we need a specific answer about payment. I also remind you that you can drop 1 file for a test decryption.
21 Oct – 02:51:16So today is Friday. Day x for our deal. We like you, so you can drop even 5 files of different extensions to make sure our decryptor works, use sendspace.com. Also a reminder that after payment we will help improve your cybersecurity, and we will give some sources to your admin to keep an eye on, so your company will never get into an incident like this again. [redacted] If not paid, some of your data will be leaked on the cybercrime forum, also we may have a closed auction in our plans.
23 Oct – 13:30:03https://www.sendspace.com/file/[redacted]
the gang answers
23 Oct – 14:30:24Well, it’s possible of course. But why do you ask for the video instead of just submitting encrypted file samples? Anyways, not a problem. Just submit them and I will decrypt and make a video if needed.
24 Oct – 18:34:14Download Page Link – https://www.sendspace.com/file/[redacted]Delete File Link – https://www.sendspace.com/delete/[redacted]
At this point CyberOptics tries to extend the negotiation further in the hope of gaining precious time
26 Oct – 09:33:32we need to make sure you are not sanctioned by the government before any payments are made
27 Oct – 10:34:24Is it ‘yes, we’re willing to pay’ or ‘no, we refuse’? We truly understand that this incident isn’t easy to deal with and as you can see we’re here talking to you for more than 2 weeks. But our patience is not limitless.Look. First of all, we’re not sanctioned of course – ask any recovery agency’s rep. Second, according to the law, you can’t pay us at all whether we’re sanctioned or not – make no sense. Third, if you don’t pay us, you will pay big penalties from GDPR, CISA violations, lawsuits and much much much more other – hundred percent.Ok. Here is a short explanation regarding consequences that will take place if let CISA know about your data leak.: Cyber Incident Notification Act of 2021 was just introduced by the Senate Intelligence Committee.All cybersecurity incidents and ransomware attacks must be reported to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours of experiencing a breach or intrusion.Failure to do so will result in steep fines as high as 0.5% of the firm’s prior year gross revenues—per day the violation continues.Let’s do math with you right now. $99 Million X 0,5% X 16 days = $7,920,000 ALLREADY god damn it. Only for one legislative act violation. Keep that in mind when you again will be stalling. Time plays against you and only we here are who can really help you to minimize all possible risks.Will be waiting for your decision till tomorrow afternoon, then once weekend is gone, we will make this chat public and will seek for buyers of your data. As for the decryption tool, it will be abolished once and forever.
27 Oct – 10:59:19And always remember about your stockholders.
At one point in the negotiation the negotiator commissioned by CyberOptics asks the cybercriminal if he is willing to sign a Non-Disclosure Agreement (NDA).
It is not the (surreal) request linked to an agreement that has “disoriented” us, but what the negotiator writes about a cash prize linked to a “bug bounty” program.
A solution devised by CyberOptics to hide the payment of the ransom.
We recall that in one of the passages of the chat, the CyberOptics negotiator writes that his insurance was not willing to cover the ransom payment.
27 Oct – 12:12:49I am not allowed to make decisions to pay on my own. These things must be approved by leadership and it takes time for them to discuss the risk versus reward. This is a business and everything is understood in terms of risk. For example, if we decide to pay, how likely will you send the decryption program and delete the files? You might decide to make more money by selling the information on the forums and making this dialogue public. This would be much faster if you signed an NDA and submitted this like a bug bounty. You could do this type of work legally if you ask permission first.
02 Nov – 15:05:23There is a problem with insurance. They are refusing to pay. We are trying to find an alternative. Sorry for the delay.
We recall that on August 8, on its website, Nordson had published an agreement for the acquisition of CyberOptics and that on November 3 it had announced the completion of the operation.
15 Nov – 09:38:54Thank you for waiting as long as possible. I don’t know why the NDA is not approved yet. It is a simple solution and we can move on from this event. Please be aware that if you decide to leak the files, you will not be paid. It is much better to follow the original plan.
15 Nov – 10:09:06We have been starting to think that the only way to get paid is to leak your files in order to find buyers. It seems like you guys just trying to fool us. Anyway, deadline is set and everything depends on you. No agreement on Thursday morning – your data is leaking.
15 Nov – 11:21:08We have decided to set a new deadline – tomorrow evening. You can tell us a couple more tales about the NDA, while we pack your data.
15 Nov – 14:09:14I have been commissioned by my management to begin the process of publishing your data. Will start it right tomorrow.
16 Nov – 11:40:52I have an idea. Find your own NDA template online, fill it out as best you can, and send it to me. I will try to get that approved.
17 Nov – 06:18:35We have an idea. Please go to hell and shove your NDA deep into your director’s ass. We hope your competitors will appreciate your data
21 Nov – 16:07:35This is a business. You are acting unprofessional. Did I ever post something rude to you? Please treat each other with respect.
07 Dec – 10:27:08Yes, you are right, our previous negotiator wasn`t acting as a true professional. As a result he was dismissed. Now you are dealing with pentesters, guys who got the initial access to your system. (say Hello) We always try to get things done in a timely manner & up to the end. Kindly asking you to have a look at our example package(containing your data) that would be spread amongst dark market sources in case our deal fails. Also, we will contact all your clients & partners that you have signed NDA with, guiding them on how to sue you in a court of law. We are ready to inflict maximum damage, but the same time we are still open to negotiate & finalize the price. The ball is on your side.
07 Dec – 10:30:10https://mega.nz/folder/[redacted]If we don’t come to an agreement, it will become public.
In the private chat, the URL of mega.nz is posted with over 5 GB of data relating to administrative and sensitive documents of CyberOptics and a much larger part, over 20 GB, on a dark web forum (BreachForum) with financial documents of the offices operating in Portland – U.S., China, Taiwan, Singapore, Malaysia, UK and of Laser Design Inc. (CyberOptics Corporation brand). It is precisely the 20 GB of data sent within the forum that publicly exposes the Minneapolis multinational.
Over 100 Non-Disclosure Agreements entered into with as many partners (American, Asian and European companies), documents classified as “Confidentiality Agreements”, administrative documents, various copies of passports, including that of the CEO and CFO of CyberOptics. And again: driving licenses of citizens residing in the US, Malaysia, China, India, some of these compliant with the originals, full names and residential addresses of some collaborators, an Excel file with account names and passwords for accessing the various services stipulated with various companies with which Laser Design Inc. has collaborative relationships:
Amazon, American Express (Minnesota), Apple Supplier Connect, Aramark Refreshment Services, Boston Scientific Co., C2FO, CenterPoint Energy, Dell, Experian, FEDEX, FindRFP, GoTo Meeting, Hewlett Packard, Minnesota Department of Revenue, PaymentWorks, Salesforce Inc. , SpaceClaim Co., UPS, Veem, Xcel Energy Inc. and many more.
In many cases, the same e-mail or password was used to log into different accounts.
On December 14th SchoolBoysGang, after the data theft became public knowledge, writes in the chat and claims to have informed some rival companies of the CyberOptics Corporation
Innersense USA
Challentech International Corporation Taiwan
KLA Corp california usa
visco.com
Perceptron Inc.
NDC Technologies Inc.
14 Dec – 12:00:13Today we are notifying following companies regarding your data breach:innersense usaChallentech International Corporation taiwanKLA Corp california usaviscom.comperceptron.comndc.comAlso, we are going to invite them to participate in our private auction. Fortunately, you still have 24 hours to make us an offer. Additionaly, we have been contacted by independent journalist Marco A De Felice, who is aware of your incident & our negotiations, however, we have not posted any details yet (but just for now, ok?) We assume that these are recovery company`s games. We also like playing games, so it will be fun. And STILL we are open to negotiation process & if $ 1 900 000 is too high – make us a reasonable offer. Once you read this message a countdown begins & you have 24 hours remaining. After we share your details with all interested parties the damage would cost you a lot more than $ 2 000 000 because we know that Innersense bigger than WaferSense. Do You also want your customers to be aware of this fact? Do You want your competitors to receive your patents? We don`t think so.To tell the truth, a note regarding your data breach has been spread amongst 200 peoples only. In fact, this is not even a DUMP, just a small note which can be easily destroyed. It contains your accountancy only. The most interesting part isn`t available yet.
In my first email sent to the SchoolBoysGang on December 13th, I write that I am an IT security researcher and blogger at SuspectFile.com and that I was able to follow the chat negotiations from the beginning, but until then I had no made the news public so as not to cause damage to CyberOptics.
The situation changes when the gang of cybercriminals makes everything public, deciding to open a thread on BreachForums allowing anyone to freely download over 20 GB of sensitive CyberOptics data (4795 folders and 36990 files).
In the email we ask the gang questions about the cyber attack on the Minneapolis company’s IT infrastructure.
For some questions we did not get answers
SchoolBoysGang (Gang): […] I will answer the questions that interest me.
SuspectFile (SF): – I was able to read the willingness of your group’s staff in complying with the negotiator’s requests, such as when they requested a video explaining the various steps for file decryption.Was this availability due to CyberOptics being the first victim you opened negotiations with?Gang: [no reply]
SF: – From the documents sent both in chat and in BF it emerges that the most recent data shows the date of September 2022. Is it correct if we say that the intrusion into the victim’s servers took place in August 2022?Gang: [no reply]SF: – What was the access that allowed you all this phishing, VPN , RDP?Gang: None of the above listed
SF: – The initial ransom demand was $1.9M, an amount they deemed impossible to pay but never made a counter offer. At what amount would you have been willing to close the negotiation?Gang: It all depends on the ability of our partners to bargain.SF: – CyberOptics has asked that you sign an NDA and then turn it into a bug bounty payment. I don’t think it’s entirely legal for them to hide something like this, but other than that. Who prevented you from signing with the name of another group, has already happened in the past with another group.Gang: [no reply]SF: – We believe that the 21 GB and almost 6 GB posted on BF and in the chat is not all the material exfiltrated during the cyber attack, but that you haven’t published some of it yet.If that were the case as we think, are there any patent or PHI documents in your hands?Gang: The leak of several gigabytes to the forum is just a warning shot before the slaughter of the entire top management. We are interested in profit and still hope for a successful deal, which is why the leak is so light. Patents and PHI are available – look at full_listing.rar in MEGA.SF: – In the chat your collaborator wrote that you have participated in various affiliate programs, I doubt if I ask you which ones you would answer, but I’ll try anyway…What affiliate programs has your group partnered with?Gang: previously, we were engaged in increasing privileges to order and, in general, pentesting without using extortionate software. After the release of the lockbit, we decided to fix the program and test it for the sake of interest. We are aware of the dubious reputation of CyberOptics and their deception of investors, so we are not ashamed to extort money from them.SF: – After the LockBit code and chats were released, many groups used this group’s code now called LockBit 3.0 or Black.You mention in the chat that you have used this ransomware variant, have you used other types of ransomware in the past? If yes, can you tell me which ones?Gang: [no reply]SF: – SchoolBoys Gang is a relatively young band, when did you get started?Gang: [no reply]SF: – In the chat the victim refers to Karakurt, can you explain better if this group was one to which you offered the material stolen from CyberOptics?Gang: No, but is it necessary?SF: – Do you have a precise target on which you refer when hitting the victims? Are hospitals or other medical entities and education part of your target?Gang: It’s simple – our victims are men with thick wallets and with a dubious reputation. Of course we are not attacking hospitals and educational institutions, who do you take us for?SF: – Do you have a blog where you publicize the names of victims who don’t agree to negotiate, or do you only use dark markets?Gang: [no reply]
… can you indirectly influence the continuation of negotiations with them? Then we will answer your questions.
You ask me if we have a data recovery team or maybe I’m a “negotiator” myself, or maybe if I expect/hope for a reward in exchange for the information I manage to gather.– None of that. I am an independent IT security researcher and do not “harvest” information from groups for money.You ask me if we, I can (indirectly) influence negotiations with your or other victims.– No, because I’m not a negotiator.
SF: – When asked how you entered the victim’s systems, you excluded those I indicated, but you don’t refer to the one used. So I ask you to be more specific.– I was able to view about 26GB of date, but what is the total existing data in your hands?Gang: We used a popular vulnerability on their server at that time, their cybersecurity was at zero and we were very surprised by this.About 650GB and 2,500,000 files, and if we don’t end the negotiations on a positive note soon, then we will leak ABSOLUTELY everything we have.
It has long been clear that they do not want to have anything to do with us, well, we will have to set an example to other companies, what will happen if they try to deceive us and think that several hundred thousand dollars are not worth it to preserve their reputation and the data of their customers/partners/ shareholders/employees.
We agree that we acted disrespectfully and insulted them, but this is our negotiator’s problem, not mine. […] we will be happy to read your news about the collapse of CyberOptics 🙂
The date of December 15 is a significant date for this case, a date that often occurs … maybe it’s just coincidences?
Since December 15 SchoolBoysGang stops all communication with SuspectFile, despite sending three more emails (December 18 – 19 – 30).
Their last message in BreachForums shows the date of December 15th, the last log-in in the forum is December 19th, while the .onion blog with the chat is no longer reachable since the first days of January 2023. Suspectfile has preserved an original copy of the entire chat.
What are the reasons that led the gang to disappear into thin air we do not know, but we can hypothesize some
– CyberOptics may have paid the ransom (this is perhaps the reason why some of the data is still present on mega.nz today, their removal could have raised suspicions)
– The data may have been sold to some competitor company
– The publication on BreachForums of part of the stolen data could have exposed the group of cybercriminals (perhaps) seriously undermining their security, this could be the reason that prompted SchoolBoysGang to “disappear into thin air”.
This case once again highlights some aspects related to the lack of attention that small and large companies place on cyber security. On too many occasions we have found that the security of IT systems are not considered business priorities.
A disturbing aspect is certainly linked to the ease with which we see groups of cybercriminals being born and often, fortunately, “dying” in a short time. In this case thanks also to the publication, last September, of the LockBit 3.0 source code
After the release of the code, many existing groups such as Bl00Dy Ransomware Gang, for example, have customized their own version of ransomware. Many others were educated thanks to the ease with which anyone with basic computer knowledge is able to “build” their own version of the ransomware, just as SchoolBoysGang has confirmed to us.
The probable young age and inexperience of the members of this gang meant that the CyberOptics negotiator was able to carry on the negotiation for over two months, keeping the news hidden. We recall that in those weeks the Nordson Corporation was preparing to finalize the last agreements for the acquisition of CyberOptcis.
Due to the mistakes made by gangi throughout the negotiation, CyberOptics gained precious time and only on December 15, 2022 did it send the only two notifications that we have been able to find so far to the Attorney General’s Offices of the state of Massachusetts and of the Attorney General of the state of Montana.
In both notifications the correct cause of the computer attack that allowed the theft of data from the servers is never mentioned, just as the name of the ransomware group is never mentioned despite CyberOptics being aware of it.
On October 23, the CyberOptics negotiator writes in the chat
if you do a search for “SchoolBoys Ransomware Gang” it is the only result. I wanted to see if you have a good reputation to recover the files after payment.
Although CyberOptics is aware of the theft of data, many of which are sensitive, and of the extortion carried out by the gang, CyberOptics writes to the Attorneys General of the two US states defining the incident as a (simple) data security event.
CyberOptics Corporation (“CyberOptics”) is writing to inform you of a recent data security event that may have impacted certain information related to you. […]