UK’s prominent infrastructure management company Amey has been hit by the Mount Locker ransomware group in what the company has called a “complex” cyber attack.
Amey was hit by a cyber attack in December, it has emerged.
Amey Plc, the British giant providing infrastructure support services to both regulated and public sectors has suffered a ransomware attack since mid-December 2020.
The group behind this data breach is Mount Locker, which has been known to demand multi-million dollar ransom payments from its victims in the past.
According to the Reports website, which first published details of the incident, the company was targeted by hackers using ransomware in mid-December. They started posting documents including correspondence the firm had with government departments online just after Christmas.
A subsidiary of Spanish multinational Ferrovial, Amey is one of the largest British firms serving public and regulated sectors, such as defense, railways, and power some of which constitute the UK’s critical infrastructure.
The $2 billion company employs over 19,000 people and is heavily involved in areas of civil engineering, transportation, aerial surveillance (i.e. via unmanned vehicles), defense, power, and waste management.
As of 2019, Amey operates the London Docklands Light Railway (DLR) line and Manchester Metrolink trams. In collaboration with Keolis, Amey also operates Transport for Wales Rail Services.
Ransomware op leaks confidential documents
Around December 16th, 2020, the Mount Locker ransomware group breached Amey’s computer systems.
As observed on December 26th, the group started publishing Amey’s proprietary data in parts on their leak site.
The leaked documents present in the dump include contracts, financial documents including bank statements and loan records, confidential partnership agreements, NDAs, correspondence between Amey and UK government departments and councils, scans of passports, driving licenses, and identity documents of company employees and directors, financial reports, employment records (new hire offers and resignation letters), technical blueprints (of Manchester Metrolink railways, for example), meeting minutes, etc.
Leaked data dump contains identity documents of Directors and employees Exposed data mention Amey’s subsidiaries
It is worth mentioning a fair number of documents and contracts present in the dump mention Amey Defence Services Ltd as one of the contracting parties.
Formerly known as CarillionAmey (Housing Prime) Ltd,Amey Defence Services is the private arm of Amey that provides infrastructure management and support services to military establishments including the British Armed Forces.
However, Amey has clarified in an email that this incident did not impact Amey’s Defence IT environment and that Amey Defence data is stored separately in the Defence IT Environment.
Likewise, some agreements were made between third-parties and Amey’s civil engineering consultancy Amey Ow Ltd that serves clients in the fields of aviation, central government, defense, education, local government, and rail and highway.
Other Amey company documents present in the leaked data set concern smaller subsidiaries such as Amey Utility Services Ltd which provides services to the British water and power sector.
At the time of our initial reporting, less than 5% of the data had been leaked in a compressed archive of 416 MB by the ransomware group.
According to the threat actors, as of January 3, 2020, the size of the entire stolen data set is 143 GB, of which about half (65 GB) has now been published on the leak site.
Ransomware ops leak 50% (65 GB) of the total 143 GB of data
Ransomware operators typically start leaking data in parts when they fail to negotiate a ransom amount with the victims during the early stages of a cyberattack. This is yet another tactic employed by the threat actors in extorting money from the affected party.
Whereas, in other cases, the threat actors may choose to quietly auction the customer data on darknet forums instead of leaking it, should the victim refuse to pay the ransom.
Thus far, We are not aware of any ongoing negotiations taking place between Amey and Mount Locker pertaining to the ransom amount.
An “IT security incident”
When asked for details concerning the cyberattack, an Amey spokesperson told:
“On 16th December Amey became aware of a complex IT security incident during which a portion of our data was compromised.
Security Report has reported the incident to the Information Commissioner’s Office, the National Centre for Cyber Security, and the National Crime Agency.”
The company also states the cyber attack was spotted early on and that they are striving to minimize any disruptions caused.
“Amey has comprehensive tracking software and virus mitigation strategies meaning the incident was caught early.
We have been working with world-leading cyber-security experts throughout this incident and continue to work with clients to keep any disruption to a minimum,” an Amey spokesperson told.
Although the company has promptly reported the cyber attack to relevant UK authorities including the ICO, NCSC, and NCA, it may take some time for Amey to assess the full impact of this cyber attack on their clients and partners, and for more details to be known.