Digital security giant Entrust breached by ransomware gang

Entrust

Digital security giant Entrust has confirmed that it suffered a cyberattack where threat actors breached their network and stole data from internal systems.

Entrust is a security firm focused on online trust and identity management, offering a wide range of services, including encrypted communications, secure digital payments, and ID issuance solutions.

Depending on what data was stolen, this attack could impact a large number of critical, and sensitive, organizations who use Entrust for identity management and authentication. 

This includes US government agencies, such as the Department of Energy, Department of Homeland Security, the Department of the Treasury, the Department of Health & Human Services, the Department of Veterans Affairs, the Department of Agriculture, and many more.

Hackers breached Entrust’s network in June

Approximately two weeks ago, a source told BleepingComputer that Entrust was breached on June 18th and that the hackers stole corporate data during the cyberattack.

However, it wasn’t until yesterday that the breach was publicly confirmed when security researcher Dominic Alvieri tweeted a screenshot of a security notice sent to Entrust’s customers on July 6th.

“I am writing to let you know that on June 18, we learned that an unauthorized party accessed certain of our systems used for internal operations. We have been working tirelessly to remediate this situation since that moment,” reads a security notice from Entrust CEO Todd Wilkinson.

“The first thing I want to tell you is that, although our investigation is ongoing, we have found no indication to date that the issue has affected the operation or security of our products and services.”

The security notice confirms that data was stolen from Entrust’s internal systems. However, it is not known at this time if this is purely corporate data or customers’ and vendors’ as well.

“We have determined that some files were taken from our internal systems. As we continue to investigate the issue, we will contact you directly if we learn information that we believe would affect the security of the products and services we provide to your organization.” – Entrust.

Today, Entrust told BleepingComputer that they are working with a leading cybersecurity firm and law enforcement to investigate the attack but that it has not affected their operations. 

“While our investigation is ongoing, we have found no indication to date that the issue has affected the operation or security of our products and services, which are run in separate, air-gapped environments from our internal systems and are fully operational,” Entrust told BleepingComputer.

Security incident notification sent to Entrust customers
Security incident notification sent to Entrust customers
Source: Dominic Alvieri

Hit by a ransomware gang

While the security notices and Entrust’s statements to BleepingComputer did not share further details regarding the attack, BleepingComputer has learned that a well-known ransomware gang is behind the attack.

While it is unclear if devices were encrypted during the attack, ransomware gangs commonly steal data before launching their encryptors to be used in double-extortion schemes.

According to AdvIntel CEO Vitali Kremez, a ransomware operation purchased compromised Entrust credentials and used them to breach their internal network.

“The responsible group operation relied on the trusted network of network access sellers to obtain initial access to Entrust environment which led to the subsequent encryption and exfiltration exposure via a known ransomware group,” Kremez told BleepingComputer in a conversation about the attack.

Unless Entrust pays a ransom demand, we will likely learn what ransomware operation was behind the attack when they publicly publish the stolen data.

When we reached out to Entrust with questions about the ransomware attack, they told us they could not share any further details about the attack.