After a cyber attack: Conti and KPMG track down the hackers

For weeks there has been an alarm mood on Vahrenwalder Strasse in Hanover, where the automotive supplier Continental has its headquarters.

After hackers captured around 40 terabytes of data from the group in one attack - a volume that corresponds to around 260 million document pages - the internal investigation is in full swing.

Supervisory boards want to know how critical the information that was siphoned off is.

So far, there is still far too little clarity, says an inspector.

The committee got a first interim result last week at a special meeting.

Until the next regular meeting on December 14th, further answers should now be forthcoming.

Christian Muessgens

Business correspondent in Hamburg.

• Follow I follow

The most important and - according to everything that is known - the only clue is provided by a list that the hacker group "Lockbit 3.0" published on a blog on the dark web.

Millions of lines list files that were allegedly copied from Conti's systems, from technical sketches to correspondence with customers and personal information from employees.

In painstaking detail, specialists from the automotive supplier are now looking for the original files on their own computers and network computers.

You open each one and try to assess the danger if it falls into the wrong hands.

According to information from the FAZ, they are supported by the auditing company KPMG.

First, the hackers demanded $50 million from Conti to destroy the data.

If the company doesn't pay, it threatens to publish the information or sell it to third parties, also at a price of $50 million.

On Tuesday evening at 10:19 p.m. sharp, the attackers spoke again on their blog – and lowered the claim to $40 million.

However, Conti shows no willingness to negotiate and does not want to be blackmailed, a strategy that not everyone affected by such attacks chooses.

Many pay quietly and secretly and thus offer the hackers new incentives for their business.

The FBI is also investigating

Officially, the Dax group only announces that it is investigating the incident and is in exchange "with national and international security and data protection authorities".

"The investigation is still ongoing and is being given top priority." In Germany, the Federal Office for Information Security, the Lower Saxony State Criminal Police Office and the Economic Protection department of the Lower Saxony Office for the Protection of the Constitution were involved.

The American Federal Bureau of Investigation, or FBI for short, has become active internationally.

It has long been investigating the Lockbit gang, a network that develops and uses ransomware, also known as blackmail Trojans.

As a rule, such programs lock the systems of their victims so that they can no longer access data.

Conti initially announced in August that it had averted such an attack on its IT.

Only later did it turn out that no systems were blocked, but data was sucked off.

Since the events also affect the share price, the financial services regulator Bafin looks at the case "on a routine basis," as it informed the FAZ on request.

One checks "whether circumstances have arisen as a result of the hacker attack that represent insider information for Continental".

The question behind this is whether the management should have informed investors earlier, which Conti denies.

Effects on the asset, financial and earnings situation cannot be estimated, and it is unclear whether such consequences will occur at all, according to the group.

In this respect, no transparency obligations have been violated.

What is clear, however, is that Conti has known for some time that there is a lot to be done when it comes to IT security.

The group had already decided months ago to upgrade its security systems.

Among other things, a program from the US provider Crowdstrike should provide more protection, as reported by informed circles.

Its specialists have been making a name for themselves in the scene for years, for example when they were involved in investigating an attack on Sony Pictures by hackers from North Korea in 2015.

In the case of Conti, however, the deployment came too late.

Even before the new systems were rolled out, the Lockbit group gained access.

It is considered likely that a Conti employee thoughtlessly opened a link beforehand, thereby opening the door for the malware.

Now the case is making waves in the German economy.

Data theft of this magnitude has so far hardly been reported in this country, even if the cases of attacks are piling up like in all other countries.

Customers in the automotive industry are alarmed, such as the Volkswagen Group from Wolfsburg.

We take any weak points very seriously, also in any affected IT system areas of partners and suppliers.

"Against the background of the hacker attack on Continental AG's IT systems, we are in contact with the responsible departments at Continental."

Mercedes recently made a similar statement.

However, it is not to be expected that clarity will prevail quickly.

It could take weeks, if not months, before you have a complete picture of the possible consequences for Conti and its customers, is a common assessment at the group's headquarters in Hanover.