Supply chain software giant Blue Yonder says it is investigating claims of data theft after a ransomware gang threatened to publish troves of data stolen from the company.
Arizona-based Blue Yonder, which provides supply chain management software to thousands of organizations including DHL, Starbucks and Walgreens, was hit by a cyberattack on November 21. The company said at the time that it was a “ransomware incident” but did not say who was behind the attack.
On Friday, the “Termite” ransomware group claimed responsibility for the attack on its dark web leak site. In a post seen by TechCrunch, the gang claims to have stolen 680 gigabytes of data from Blue Yonder, including documents, reports, insurance documents and email lists, which Termite says it intends to use “for future attacks.”
In a statement given to TechCrunch, Blue Yonder spokesperson Marina Renneke said the company was “aware of who has claimed responsibility.”
“We are aware that an unauthorized third party claims to have taken certain information from our systems,” Renneke said. “We are working diligently with external cybersecurity experts to address these claims. The investigation remains ongoing.”
The Termite ransomware gang first emerged earlier this year. Security experts believe the group is a rebranding of the notorious Russia-linked Babuk ransomware group, which carried out more than 65 attacks and received $13 million in ransom payments, according to the U.S. Department of Justice.
Threat intelligence company Cyble noted similarities between the Termite and Babuk ransomware strains, and security researchers at Broadcom observed the group using a modified version of Babuk ransomware.
On its dark web leak site, where the gang lists six other victims, Termite is threatening to publish data allegedly stolen from Blue Yonder “soon.” It’s not known whether it has demanded a ransom payment from the company, and Blue Yonder declined to say when asked by TechCrunch.
Blue Yonder also declined to say how much and what types of data had been stolen but did not dispute the claims made by Termite when asked.
In an update to its cybersecurity incident page on Friday, Blue Yonder said it has “notified customers who were impacted by operational disruptions and have been working with them throughout the restoration process.”
It’s still not known how many of Blue Yonder’s 3,000-plus customers were impacted by the incident. U.K. supermarket chains Morrisons and Sainsbury’s previously confirmed to TechCrunch that they had been affected, and U.S. coffee giant Starbucks said the ransomware attack had forced managers to manually calculate employees’ pay.
