News

Amey suffers cyber attack from ransomware

Amey Plc, the British giant providing infrastructure support services to both regulated and public sectors has suffered a ransomware attack since mid-December 2020.

The group behind this data breach is Mount Locker, which has been known to demand multi-million dollar ransom payments from its victims in the past.

Image: Mount Locker ransomware leak site partially published Amey’s proprietary files

A subsidiary of Spanish multinational Ferrovial, Amey is one of the largest British firms serving public and regulated sectors, such as defense, railways, and power some of which constitute UK’s critical infrastructure.

The $2 billion company employs over 19,000 people and is heavily involved in areas of civil engineering, transportation, aerial surveillance (i.e. via unmanned vehicles), defense, power, and waste management.

As of 2019, Amey operates the London Docklands Light Railway (DLR) line and Manchester Metrolink trams. In collaboration with Keolis, Amey also operates Transport for Wales Rail Services.

Ransomware op leaks confidential documents

Around December 16th, 2020, the Mount Locker ransomware group breached Amey’s computer systems.

As observed by Security Report, on December 26th, the group started publishing Amey’s proprietary data in parts on their leak site.

The leaked documents present in the dump include contracts, financial documents including bank statements and loan records, confidential partnership agreements, NDAs, correspondence between Amey and UK government departments and councils, scans of passports, driving licenses, and identity documents of company employees and directors, financial reports, employment records (new hire offers and resignation letters), technical blueprints (of Manchester Metrolink railways, for example), meeting minutes, etc.

Image: Leaked data dump contains identity documents of Directors and employees
(Source: Security Report)

Exposed data mention Amey’s subsidiaries

It is worth mentioning a fair number of documents and contracts present in the dump mention Amey Defence Services Ltd as one of the contracting parties.

Formerly known as CarillionAmey (Housing Prime) Ltd, Amey Defence Services is the private arm of Amey that provides infrastructure management and support services to military establishments including the British Armed Forces.

However, Amey has clarified in an email to Security Report that this incident did not impact Amey’s Defence IT environment and that Amey Defence data is stored separately in the Defence IT Environment.

Likewise, some agreements were made between third-parties and Amey’s civil engineering consultancy Amey Ow Ltd that serves clients in the fields of aviation, central government, defense, education, local government, and rail and highway.

Other Amey company documents present in the leaked data set concern smaller subsidiaries such as Amey Utility Services Ltd which provides services to the British water and power sector.

A small chunk of the pie

At the time of our initial reporting, less than 5% of the data had been leaked in a compressed archive of 416 MB by the ransomware group.

Update: According to the threat actors, as of January 3, 2020, the size of the entire stolen data set is 143 GB, of which about half (65 GB) has now been published on the leak site.

Jan 3, 2020: Ransomware ops leak 50% (65 GB) of the total 143 GB data

Ransomware operators typically start leaking data in parts when they fail to negotiate a ransom amount with the victims during the early stages of a cyberattack. This is yet another tactic employed by the threat actors in extorting money from the affected party.

Whereas, in other cases, the threat actors may choose to quietly auction the customer data on darknet forums instead of leaking it, should the victim refuse to pay the ransom.

Thus far, Security Report is not aware of any ongoing negotiations taking place between Amey and Mount Locker pertaining to the ransom amount.

A “complex IT security incident”

When asked for details concerning the cyberattack, an Amey spokesperson told Security Report:

“On 16th December Amey became aware of a complex IT security incident during which a portion of our data was compromised. We have reported the incident to the Information Commissioner’s Office, the National Centre for Cyber Security, and the National Crime Agency.”

The company also states the cyber attack was spotted early on and that they are striving to minimize any disruptions caused.

“Amey has comprehensive tracking software and virus mitigation strategies meaning the incident was caught early. We have been working with world-leading cyber-security experts throughout this incident and continue to work with clients to keep any disruption to a minimum,” an Amey spokesperson told Security Report.

Although the company has promptly reported the cyber attack to relevant UK authorities including the ICO, NCSC, and NCA, it may take some time for Amey to assess the full impact of this cyber attack on their clients and partners, and for more details to be known.

This is a developing story.

Update 2-Jan-2020: Added clarification from Amey Plc that this cyber attack did not impact Amey’s Defence IT environment and Amey Defence data stored separately in that environment.

Update 3-Jan-2020: Edited that the total stolen data is about 143 GB in size according to Mount Locker, of which 50% (65 GB) has now been published on their leak site.

Ax Sharma

Ax Sharma is an Indian-origin British security researcher, journalist and TV subject matter expert with a focus on malware analysis and cybercrime investigations. His areas of interest include open source software security, threat intel analysis, and reverse engineering. Frequently featured by leading media outlets like the BBC, Channel 5, Fortune, WIRED, The Register, among others, Ax is an active community member of the OWASP Foundation and the British Association of Journalists (BAJ).

Recent Posts

Sea Turtle Cyber Espionage Campaign Targets Telecommunication and IT Companies in the Netherlands

Telecommunication, media, internet service providers (ISPs), information technology (IT)-service providers, and Kurdish websites in the…

12 months ago

Rogue WordPress plugin: Threat hunters uncover credit card skimming campaign targeting e-commerce sites

Rogue WordPress Plugin Found to Steal Credit Card Information in Magecart Campaign Threat hunters have…

12 months ago

Albanian Parliament and telco ‘One Albania’ suffer cyber attacks

The Assembly of the Republic of Albania and telecom company One Albania have recently fallen…

12 months ago

Carbanak Banking Malware Resurfaces with Updated Tactics in Ransomware Attacks

The banking malware Carbanak has resurfaced with updated tactics, incorporating attack vendors and techniques to…

12 months ago

Theme park giant Parques Reunidos hit by a ransomware cyber attack

One of the world's largest theme park operators, Parques Reunidos has disclosed a cybersecurity incident.…

2 years ago

Phishing kit screenshots your email domain on the fly to appear real

Phishing kit used by multiple hacked sites generates a log in page on the fly…

2 years ago

This website uses cookies.