A Canadian construction company that won military and government contracts worth millions of dollars has suffered a ransomware attack.
General contractor Bird Construction, which is based in Toronto, was allegedly targeted by cyber-threat group MAZE in December 2019. MAZE claims to have stolen 60 GB of data from the company, which landed 48 contracts worth $406m with Canada's Department of National Defense between 2006 and 2015.
In an email to the Canadian Broadcasting Corporation (CBC), a Bird Construction company spokesperson wrote: "Bird Construction responded to a cyber incident that resulted in the encryption of company files. Bird continued to function with no business impact, and we worked with leading cyber security experts to restore access to the affected files."
MAZE's modus operandi is to demand a ransom from its victim to secure the return of data that the group has stolen and encrypted. Victims are warned that failure to pay up will result in the data's publication. If a victim refuses to pay, MAZE's next move is typically to publish a small quantity of the data it claims to have stolen to show it means business.
According to Emsisoft threat analyst Brett Callow, MAZE has now published data it claims to have stolen from Bird Construction. The published files contain employees' personal data and information relating to Canadian company Suncor Energy, with which Bird Construction has worked on multiple projects.
Callow told Infosecurity Magazine: "Maze actually published some of Bird’s data. The files included documents relating to Suncor and records for a couple of Bird employees which included their names, home addresses, phone numbers, banking info, social insurance numbers, tax forms, health numbers, drug and alcohol test results—everything that a criminal would need to steal their identity. And all that info was posted on the clear web where anybody could’ve accessed it."
The published data, which Infosecurity Magazine has viewed, consisted of two large PDF files, each relating to a separate Bird Construction employee, plus documents detailing vehicle entry authorization and alcohol and drug testing procedures at Suncor.
Callow added: "The big question is: what else did MAZE get and did any of the data relate to Bird's government and military contracts?"
Bird Construction has not said whether a ransom was paid to its cyber-attackers. Callow advised any company that gets hit by ransomware not to pay up.
He said: "There is no way for a company to know that the data will be deleted after a ransom has been paid. In fact, it probably will not be deleted. Why would a criminal enterprise delete data that they may be able to use or monetize at a later date?"