Who are the HIVE group that hacked Altice (SFR)?

The Altice Group, parent company of SFR, has been added to the list of “ransomware” victims. Tens of thousands of documents relating to the group’s numerous subsidiaries are currently being made public by cybercriminals.

At the origin of this cyberattack, the Hive group, already known to have attacked hundreds of organizations since June 2021, including health institutions, energy providers, but also non-profit organizations. Attacks of such magnitude that the FBI has issued an alert about them.

The HIVE group: Who are they?

The Hive group is a group of hackers who operate by “ransomware” attacks.

Hive was first discovered in June 2021. It is distributed in a Ransomware-as-a-service (RaaS) model that allows attackers who do not wish to develop the malicious tool, to use it as they wish, in exchange for a sum of money (usually in the form of a subscription or direct purchase) paid to its developer. This is a real affiliate program using various initial compromise methods.

Known for using double extortion, but also increasingly sophisticated hacking methods unlike any other cybercriminal, most of the group’s modus operandi remains opaque to everyone.

The sectors most targeted by Hive, in order, are energy, health, finance, media and education. Operating for just over a year, this group is currently focusing on organizations located in North America, Europe and the Middle East, surpassing groups such as ALPHHV and KARAKURT in terms of the number of attacks carried out since the beginning of 2022.

Long before the use of Hive, attackers used several mechanisms to get into their victim’s network. They usually resorted to phishing emails, or exploiting vulnerabilities in the victim’s exposed assets (referring to CVEs). Once inside, Hive would then infect the network laterally.

This type of attack remains one of the most dangerous due to its undetectable nature. In this sense, the prevention of incidents is the best weapon for an organization wishing to avoid them with the adoption of a SOC.

What happened at Altice’s that night?

The hackers published a message on their site claiming responsibility for the attack, which indicates that the data was stolen on August 9 at 10:36 pm, the point of entry having probably been a phishing email accompanied by a malicious charge, intended for the administrative department. A ransomware attempt was then made by the group, without success.

So the threat was carried out, as the recovered data was made public on August 25 on the HiveLeaks website, exposing thousands of files, a heterogeneous mix of data ranging from 2018 to 2022.

For their part, the hackers claim to have disclosed only 25% of all stolen data, information that cannot be verified. The accessible database seems to be quite large since not all of the revealed information has been verified yet.

Even if the Altice group admits to have been affected, telling Clubic.com that “the perimeter of Altice France and SFR are not affected”, the CEO Patrick Drahi has not officially communicated on the subject. The most affected holding of the group would be Altice International, whose servers are all based in Luxembourg.

A disturbing silence that leaves doubt about the scope of the attack, its content and its operational characteristics.

For sure, data is currently available for download on the Dark Net, data of public and private interest disclosing financial information about the group, but also touching the private life of Mr. Drahi, and his family life.

What is the threat of this kind of attack?

In recent years, ransomware attacks have continued to grow. The RaaS model based on the principle of SaaS (Software as a Service) simplifies the implementation of the most sophisticated attacks even for the least experienced hackers. A trap into which the French company Damart fell very recently, with a ransom demand of almost 2 million euros.

Hive is now known as one of the biggest ransomware threats in the healthcare sector, following the Memorial Health System attacks as well as the Missouri Delta Medical Center attack.

In spite of the perpetual evolution of these attacks, the means to prevent them have also evolved in order to reduce their impact (which can be dramatic) on the reputation of a company.

Organizations now have the power to prevent such attacks by making cybersecurity a top priority.

Human error is responsible for 82% of data breaches worldwide, an alarming fact that should lead companies to create a real synergy between the creation of security policies, the prevention of social engineering and the implementation of powerful automated tools to identify any threats or leaks.