The cybercrime group **Coinbase Cartel** targeted **NTT Data**, a Japanese IT services giant, by exploiting vulnerabilities in its US subsidiary **Vectorform** (acquired in 2022). The attack involved **large-scale data exfiltration** without encryption, leveraging exposed credentials in cloud repositories (e.g., AWS, GitHub) and potential insider assistance. While NTT Data denied a direct breach, Vectorform’s systems were compromised, with sensitive operational, client, or proprietary data stolen. Coinbase Cartel employed a **‘leak-only’ ransomware model**, threatening public disclosure to extort payment while avoiding system disruption. The stolen data—likely including logistics, supply chain, or corporate intelligence—poses **reputational, legal, and financial risks**, particularly given the transportation/logistics sector’s reliance on third-party integrations (TMS, WMS, EDI). The breach underscores vulnerabilities in **vendor access controls, credential hygiene, and segmentation**, with the group staging leaks to pressure negotiations. No encryption occurred, but the **theft of high-value data** exposes NTT Data to regulatory scrutiny, customer distrust, and potential litigation, especially if client or employee records were exposed.
Source: https://www.jdsupra.com/legalnews/new-cybercriminal-group-targeting-5249939/
TPRM report: https://www.rankiteo.com/company/nttdata
"id": "ntt0902709102325",
"linkid": "nttdata",
"type": "Cyber Attack",
"date": "6/2022",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Technology',
'location': 'Japan (global operations)',
'name': 'NTT Data',
'size': 'Large enterprise',
'type': 'IT Services'},
{'industry': 'Technology',
'location': 'United States',
'name': 'Vectorform (subsidiary of NTT Data)',
'type': 'IT Services/Software Development'},
{'industry': 'Transportation and Logistics',
'location': 'Global',
'name': 'Unnamed transportation/logistics companies '
'(multiple continents)',
'type': ['3PL Providers',
'Carriers',
'Brokers',
'Customs Agents']}],
'attack_vector': ['Exploiting exposed/hard-coded credentials in cloud/source '
'code repositories (AWS, Bitbucket, GitHub)',
'Insider-assisted access',
'Weak network segmentation',
'Third-party vendor compromises (e.g., TMS, WMS, EDI '
'systems)',
'Staged data leaks for extortion pressure'],
'data_breach': {'data_encryption': 'None (leak-only model)',
'data_exfiltration': ['Confirmed (staged leaks)',
'Mass downloads via cloud/email'],
'file_types_exposed': ['ZIP archives (bulk compression)',
'Emails',
'Database exports',
'Source code'],
'personally_identifiable_information': 'Possible (not '
'confirmed)',
'sensitivity_of_data': 'High (operational integrity, supply '
'chain data)',
'type_of_data_compromised': ['Operational data',
'Shipment data',
'Source code (potential)',
'Corporate emails',
'Potentially PII']},
'date_detected': '2023-09-15',
'date_publicly_disclosed': '2023-09-15',
'description': "A new cybercrime group, 'Coinbase Cartel,' has emerged with a "
'focus on data exfiltration (leak-only model) rather than '
'traditional ransomware encryption. The group targets '
'transportation, logistics, and adjacent sectors, exploiting '
'exposed credentials, insider threats, and weak segmentation '
'to steal high-value operational and shipment data. Victims '
'are pressured through staged data leaks and extortion '
'threats, with no disruption to operations, making detection '
'difficult. Confirmed or claimed victims include NTT Data '
'(potentially via subsidiary Vectorform). The group operates '
"with a 'business-like' approach, including partnerships with "
'insiders and staged evidence packages.',
'impact': {'brand_reputation_impact': ['High (public extortion threats and '
'staged leaks)',
'Loss of trust in supply chain '
'integrity'],
'data_compromised': ['Operational data',
'Shipment data',
'High-value corporate data (potentially PII)'],
'downtime': 'None (no encryption or operational disruption)',
'identity_theft_risk': 'Possible (if PII is exfiltrated)',
'legal_liabilities': ['Potential GDPR/CCPA violations if PII is '
'exposed',
'Contractual breaches with third-party '
'vendors'],
'operational_impact': ['Reputational risk from staged data leaks',
'Legal/regulatory exposure',
'Potential supply chain disruptions if '
'vendor data is compromised'],
'systems_affected': ['Transportation Management Systems (TMS)',
'Warehouse Management Systems (WMS)',
'EDI links',
'Cloud repositories (AWS, Bitbucket, GitHub)',
'Email systems (Microsoft 365, Google '
'Drive)']},
'initial_access_broker': {'data_sold_on_dark_web': 'Likely (staged leaks '
'imply darknet '
'monetization)',
'entry_point': ['Exposed credentials in cloud '
'repositories',
'Insider access (crowdsourced)',
'Third-party vendor compromises '
'(e.g., Vectorform)'],
'high_value_targets': ['TMS/WMS/EDI systems',
'Supply chain data',
'Corporate emails']},
'investigation_status': 'Ongoing (group active as of latest reports)',
'lessons_learned': ['Leak-only extortion models bypass traditional ransomware '
'defenses (no encryption = no operational disruption but '
'high reputational risk).',
'Third-party vendors (e.g., Vectorform) can serve as '
'attack vectors for larger targets (e.g., NTT Data).',
'Insider threats are actively crowdsourced by groups like '
'Coinbase Cartel.',
'Complex supply chains (transportation/logistics) create '
'expansive attack surfaces.'],
'motivation': ['Financial Gain (Extortion)',
'Reputational Damage',
'Operational Disruption (via data leaks)'],
'post_incident_analysis': {'corrective_actions': ['Mandate MFA and '
'least-privilege access for '
'all systems.',
'Isolate high-value systems '
'(TMS/WMS) from third-party '
'networks.',
'Deploy DLP and EDR with '
'behavioral analytics for '
'exfiltration detection.',
'Audit cloud repositories '
'for exposed credentials.'],
'root_causes': ['Poor credential management '
'(hard-coded/exposed credentials '
'in repositories).',
'Lack of segmentation between '
'subsidiaries (e.g., Vectorform → '
'NTT Data).',
'Insufficient monitoring for data '
'exfiltration (no DLP/behavioral '
'alerts).',
'Over-reliance on third-party '
'vendors with weak security '
'postures.']},
'ransomware': {'data_encryption': 'None',
'data_exfiltration': 'Primary tactic',
'ransomware_strain': 'N/A (leak-only, no encryption)'},
'recommendations': ['Enforce least-privilege access and phishing-resistant '
'MFA across all systems (especially TMS/WMS/EDI).',
'Implement DLP controls to prevent mass data exfiltration '
'via email/cloud services.',
'Monitor for anomalies like bulk ZIP file creation, OAuth '
'abuses, and mailbox forwarding rules.',
'Audit third-party vendor security postures and include '
'cybersecurity clauses in contracts (e.g., breach '
'notification requirements).',
'Segment networks to limit lateral movement from '
'compromised vendors/subsidiaries.',
'Deploy behavioral analytics to detect subtle signs of '
'data staging (e.g., unusual compression activities).',
'Conduct regular insider threat awareness training to '
'mitigate crowdsourced collusion risks.'],
'references': [{'source': 'Media investigation (unnamed)'},
{'source': 'Coinbase Cartel darknet leak site'},
{'source': 'NTT Data public statement (denial of confirmed '
'breach)'}],
'regulatory_compliance': {'regulations_violated': ['Potential GDPR (if EU '
'data exposed)',
'CCPA (if California '
'residents affected)',
'Industry-specific data '
'protection laws']},
'response': {'containment_measures': ['Enforce least-privilege access for '
'TMS/WMS/EDI systems',
'Disable legacy email protocols '
'(IMAP/POP3)',
'Implement phishing-resistant MFA'],
'enhanced_monitoring': ['Behavioral analytics for anomalies',
'OAuth grant monitoring'],
'network_segmentation': ['Recommended to limit lateral movement'],
'remediation_measures': ['Deploy Data Loss Prevention (DLP) for '
'Microsoft 365/Google Drive/email',
'Monitor/block mass downloads via '
'service accounts',
'Configure alerts for mailbox '
'forwarding rules and bulk compression',
'Enhance EDR coverage for admin/remote '
'hosts']},
'threat_actor': 'Coinbase Cartel',
'title': 'Coinbase Cartel Data Exfiltration Campaign Targeting Transportation '
'and Logistics Sectors',
'type': ['Data Breach', 'Extortion', 'Insider Threat'],
'vulnerability_exploited': ['Poor credential hygiene (hard-coded/exposed '
'credentials)',
'Lack of least-privilege access controls',
'Absence of phishing-resistant MFA',
'Unmonitored mass data downloads/email '
'exfiltration',
'Legacy email protocols (IMAP/POP3)',
'Insufficient DLP and behavioral analytics']}