Amey Plc, the British giant providing infrastructure support services to both regulated and public sectors has suffered a ransomware attack since mid-December 2020.
The group behind this data breach is Mount Locker, which has been known to demand multi-million dollar ransom payments from its victims in the past.
A subsidiary of Spanish multinational Ferrovial, Amey is one of the largest British firms serving public and regulated sectors, such as defense, railways, and power some of which constitute UK’s critical infrastructure.
The $2 billion company employs over 19,000 people and is heavily involved in areas of civil engineering, transportation, aerial surveillance (i.e. via unmanned vehicles), defense, power, and waste management.
As of 2019, Amey operates the London Docklands Light Railway (DLR) line and Manchester Metrolink trams. In collaboration with Keolis, Amey also operates Transport for Wales Rail Services.
Ransomware op leaks confidential documents
Around December 16th, 2020, the Mount Locker ransomware group breached Amey’s computer systems.
As observed by Security Report, on December 26th, the group started publishing Amey’s proprietary data in parts on their leak site.
The leaked documents present in the dump include contracts, financial documents including bank statements and loan records, confidential partnership agreements, NDAs, correspondence between Amey and UK government departments and councils, scans of passports, driving licenses, and identity documents of company employees and directors, financial reports, employment records (new hire offers and resignation letters), technical blueprints (of Manchester Metrolink railways, for example), meeting minutes, etc.
Exposed data mention Amey’s subsidiaries
It is worth mentioning a fair number of documents and contracts present in the dump mention Amey Defence Services Ltd as one of the contracting parties.
Formerly known as CarillionAmey (Housing Prime) Ltd, Amey Defence Services is the private arm of Amey that provides infrastructure management and support services to military establishments including the British Armed Forces.
However, Amey has clarified in an email to Security Report that this incident did not impact Amey’s Defence IT environment and that Amey Defence data is stored separately in the Defence IT Environment.
Likewise, some agreements were made between third-parties and Amey’s civil engineering consultancy Amey Ow Ltd that serves clients in the fields of aviation, central government, defense, education, local government, and rail and highway.
Other Amey company documents present in the leaked data set concern smaller subsidiaries such as Amey Utility Services Ltd which provides services to the British water and power sector.
A small chunk of the pie
At the time of our initial reporting, less than 5% of the data had been leaked in a compressed archive of 416 MB by the ransomware group.
Update: According to the threat actors, as of January 3, 2020, the size of the entire stolen data set is 143 GB, of which about half (65 GB) has now been published on the leak site.
Ransomware operators typically start leaking data in parts when they fail to negotiate a ransom amount with the victims during the early stages of a cyberattack. This is yet another tactic employed by the threat actors in extorting money from the affected party.
Whereas, in other cases, the threat actors may choose to quietly auction the customer data on darknet forums instead of leaking it, should the victim refuse to pay the ransom.
Thus far, Security Report is not aware of any ongoing negotiations taking place between Amey and Mount Locker pertaining to the ransom amount.
A “complex IT security incident”
When asked for details concerning the cyberattack, an Amey spokesperson told Security Report:
“On 16th December Amey became aware of a complex IT security incident during which a portion of our data was compromised. We have reported the incident to the Information Commissioner’s Office, the National Centre for Cyber Security, and the National Crime Agency.”
The company also states the cyber attack was spotted early on and that they are striving to minimize any disruptions caused.
“Amey has comprehensive tracking software and virus mitigation strategies meaning the incident was caught early. We have been working with world-leading cyber-security experts throughout this incident and continue to work with clients to keep any disruption to a minimum,” an Amey spokesperson told Security Report.
Although the company has promptly reported the cyber attack to relevant UK authorities including the ICO, NCSC, and NCA, it may take some time for Amey to assess the full impact of this cyber attack on their clients and partners, and for more details to be known.
This is a developing story.
Update 2-Jan-2020: Added clarification from Amey Plc that this cyber attack did not impact Amey’s Defence IT environment and Amey Defence data stored separately in that environment.
Update 3-Jan-2020: Edited that the total stolen data is about 143 GB in size according to Mount Locker, of which 50% (65 GB) has now been published on their leak site.