Data from Japanese tech giant Fujitsu is being sold on the dark web by a group called Marketo. Still, the company said the information "appears related to customers" and not their own systems.
On August 26, Marketo wrote that it had 4GB of stolen data and was selling it on its leak site. They provided samples of the data and claimed they had confidential customer information, company data, budget data, reports and other company documents, including project information.
Initially, the group's leak site said it had 280 bids on the data, but now, the leak site shows 70 bids for the data, including one bid today.
A Fujitsu spokesperson downplayed the incident and told ZDNet that there was no indication it was connected to a situation in May when hackers stole data from Japanese government entities through Fujitsu's ProjectWEB platform.
"We are aware that information has been uploaded to dark web auction site 'Marketo' that purports to have been obtained from our site. Details of the source of this information, including whether it comes from our systems or environment, are unknown," a Fujitsu spokesperson told ZDNet.
"Because this includes information that appears related to customers, we will refrain from commenting on the details. I assume that you may recall the last event of Project WEB in May, but there is no indication that this includes information leaked from ProjectWEB, and we believe that this matter is unrelated."
Cybersecurity experts like Cato Networks senior director of security strategy Etay Maor questioned the number of bids on the data, noting that the Marketo group controls the website and could easily change the number as a way to put pressure on buyers.
But Ivan Righi, a cyber threat intelligence analyst with Digital Shadows, said Marketo is known to be a reputable source.
Righi said the legitimacy of the data stolen cannot be confirmed but noted that previous data leakages by the group had been proven to be genuine.
"Therefore, it is likely that the data exposed on their website is legitimate. At the time of writing, Marketo has only exposed a 24.5MB 'evidence package,' which contained some data relating to another Japanese company called Toray Industries. The group also provided three screenshots of spreadsheets allegedly stolen in the attack," Righi said.
He explained that while Marketo is not a ransomware group, it operates similar to ransomware threat actors.
"The group infiltrates companies, steals their data, and then threatens to expose that data if a ransom payment is not made. If a company does not respond to the threat actor's ransom demand, they are eventually posted on the Marketo data leak site," Righi told ZDNet.
"Once a company is posted on the Marketo site, an evidence package is usually provided with some data stolen from the attack. The group will then continue to threaten the companies and expose data periodically if the ransom is not paid. While the group does have an auction section on their website, not all victims are available in this section, and Fujitsu has not been put up for auction publicly at the time of writing. It is unknown where the 70 bids purportedly came from, but it is possible that these bids may originate from closed auctions."
Digital Shadows wrote a report about the group in July, noting that it was created in April 2021 and often markets its stolen data through a Twitter profile by the name of @Mannus Gott.
The account has taunted Fujitsu in recent days, writing on Sunday, "Oh, the sweet, sweet irony. One of the largest IT services providers couldn't find themselves adequate protection."
The gang has repeatedly claimed it is not a ransomware group and instead serves as an "informational marketplace." They contacted multiple news outlets in May to tout their work.
"The marketplace itself operates in a similar fashion to other data leak sites with some unique features. Interestingly the group includes an 'Attacking' section naming organizations that are in the progress of being attacked. The marketplace allows for user registration and provides a contact section for the victim and press inquiries," Digital Shadows Photon Research Team wrote.
"Victims are provided a link to a separate chat to conduct negotiations. Within the individual posts, Marketo provides a summary of the organization, screenshots of seemingly compromised data, and a link to an 'evidence pack' otherwise known as proof. They auction sensitive data in the form of a silent auction through a blind bidding system where users make bids based on what they think the data is worth."
In the past, the group has gone so far as to send samples of stolen data to a company's competitors, clients and partners as a way to shame victims into paying for their data back.
The group has recently listed dozens of companies on their leak site, including Puma, and generally leaks one each week, mostly selling data from organizations in the US and Europe. At least seven industrial goods and services companies have been hit alongside organizations in the healthcare and technology sectors.
Brett Callow, a ransomware expert and threat analyst at Emsisoft, told ZDNet that it is unclear how Marketo obtains the data it offers but said there is some indication the data is often related to ransomware attacks.
"While they've attempted to distance themselves from ransomware gangs, it appears that at least some of the data was obtained in ransomware attacks. Whether they know, those lots have been scraped from other sites or whether they've been duped isn't clear. They could be attempting to scam buyers, or they could've been scammed themselves. It's impossible to say," Callow said.
"The bottom line is that Marketo's claims should not be believed. In fact, the default assumption should be that every one of their claims is false: the amount of data they obtained, where that data comes from and the nature of it. These people are, after all, criminal scumbags, which is not a section of society that's noted for its truthfulness."
He noted that some of the victims on Marketo's leak site were recently hit by ransomware attacks, including X-Fab, which the Maze ransomware group hit in July 2020, and Luxottica, which was hit by Nefiliim ransomware in September.