Car maker Hyundai Motor Europe suffered a Black Basta ransomware attack, with the threat actors claiming to have stolen three terabytes of corporate data.
Hyundai Motor Europe is Hyundai Motor Company's European division, headquartered in Germany.
BleepingComputer first learned of the attack in early January, but when we contacted Hyundai, we were told they were just experiencing IT issues.
"Hyundai Motor Europe is experiencing IT issues, which the company is working to resolve as quickly as possible," Hyundai told BleepingComputer at the time.
"Trust and security are fundamental to Hyundai's business and our priority is the protection of our customers, employees, investors, and partners."
However, after sharing additional information we had learned about data being stolen, Hyundai confirmed to BleepingComputer that they suffered a cyberattack.
"Hyundai Motor Europe is investigating in a case in which an unauthorised third party has accessed a limited part of the network of Hyundai Motor Europe," Hyundai Motor Europe told BleepingComputer.
"Our investigations are ongoing, and we are working closely with external cybersecurity and legal experts. Relevant local authorities have also been notified. Trust and security are fundamental to our business, and our priority is the protection of our customers, employees, investors, and partners."
The company did not specify what type of attack they suffered, but BleepingComputer learned the Black Basta ransomware operation conducted it in early January when they claimed to have stolen 3 TB of data from Hyundai Motor Europe.
In an image seen by BleepingComputer, the threat actors shared lists of folders that were allegedly stolen from numerous Windows domains, including those from KIA Europe.
While it is not known what data was stolen, the folder names indicate its related to various departments at the company, including legal, sales, human resources, accounting, IT, and management.
Hyundai previously disclosed a data breach in April 2023 that impacted Italian and French car owners and those who booked a test drive.
More recently, Hyundai MEA's X account was hacked to promote sites with crypto wallet drainers.
Who is Black Basta?
The Black Basta ransomware gang launched its operation in April 2022 and quickly launched a stream of double-extortion attacks.
By June 2022, Black Basta had partnered with the QBot malware operation (QakBot) to drop Cobalt Strike for remote access on corporate networks. Black Basta would use this access to spread to other devices on the network, steal data, and ultimately encrypt devices.
Black Basta is believed to be an offshoot of the notorious Conti ransomware operation, run by one of the previous Conti leaders.
Since its launch, the threat actors have been responsible for a wide range of attacks, including those against the Toronto Library, Capita, American Dental Association, Sobeys, Knauf, and Yellow Pages Canada.
A report from Corvus Insurance and Elliptic in November 2023 says that Black Basta is believed to have received over $100 million in ransom payments since its launch.