Exclusive: British royals are victims of alleged data breach

Exclusive: UK royals fall victim to alleged data breach

A ransomware gang claimed overnight to have successfully compromised several members of Britain’s royal family.

The Snatch gang made an initial announcement on one of their transparent websites on April 10, and the hack announcement was updated on April 15 and then again on April 16.

The post lists the names of 25 members of the royal family, including King Charles III, Queen Camilla and the Prince and Princess of Wales, and includes a link to a small 32 kilobyte file called Royals.zip.

The clear web post also includes a link to the group’s Telegram channel, where it has more to say.

“And today we are pleased to represent the 25 people from the royal family who were kidnapped in our project. So those who are too lazy to read can download all the data in one file,” a Snatch spokesperson posted on April 15.

The Telegram post links to the gang’s news site and the .ZIP file.

As for the files themselves, they appear to be dossiers of personal information compiled by Snatch, about each of the 25 royals listed on the group’s site. Each of the 25 text files includes a brief biography of the person in question, followed by email addresses, encrypted and unencrypted passwords, and lists of people with links to the royals in question.

The King Charles III text file, for example, has the email details of a former royal household web development intern and a personal assistant to HRH Princess Beatrice and Princess Eugenie of York, among dozens of others.

Much of the information appears to already be publicly available in some form, such as Instagram pages and YouTube channels, but other details appear to be nicknames or usernames, most likely lifted from other data sources and leaks.

In some cases, Snatch has even provided ongoing feedback on the data. Included in an apparent list of passwords associated with King Charles is this line:

“Bensonsasha (Hmm, Sasha Benson is the CEO and founder of Benson Esthetics. How are they connected?)”

Benson Esthetics is a beauty and wellness company operating out of Bermuda.

Some postal addresses, as well as geolocation details, are included in the data.

Looking further back into the group’s Telegram history, it has been sharing this data in individual posts throughout March, while also offering security tips and debunking articles written about the hacker group. The group has also published salacious details of people associated with other world leaders, including French President Emmanuel Macron.

For its part, the Royal Household is aware of the claim and, although the UK’s National Cyber ​​Security Center has been in contact, the Royal Household has not reported that anything is wrong.

However, if we look closer at the threat actor, figuring out who Snatch is (and who isn’t) and what motivates him is quite a mystery.

What motivates Snatch?

Like many similar threat actors, Snatch considers itself a force for good and provides cybersecurity services and advice to its victims.

However, while its roots are firmly in ransomware, Snatch released a new manifesto in January 2024, stating that it was moving closer to a hacktivism operating model than a traditional ransomware gang.

“Business and power are united and go hand in hand. And each leak has its own name and face, both on the part of the company that allowed it and on the part of the authorities that cover this business,” Snatch published on January 26.

“That is why from now on each of our publications will be accompanied by personal data of presidents (business owners) and personal data of representatives of authorities assigned to this region. If the authorities don’t care about the personal data of ordinary citizens, they don’t care about their own data breach either. Therefore, from now on all publications will follow a new formula: the face of the company, the face of the representative of the authority that covers the company.

“De jure, any government official has the same rights and freedoms as ordinary citizens, so if a company voluntarily leaks the data of its customers and partners to the network, the government official responsible for legislation in this area should also be filtered. We do not hope to change the world or the government’s attitude to what is happening, but we want you to know the face of those responsible for your cyber genocide.”

The group also appears to be applying this new manifesto retroactively.

Snatch targeted UK food supplier Daylesford Organics in November 2021, which saw the details of several royals compromised, along with other UK celebrities, before releasing gigabytes of stolen data in 2022. However, that leak page was recently updated with a list of “responsible persons.” due to data leak” added to data dump on April 5, 2024.

Who is Snatch?

Snatch’s origins date back to 2018, when it was formed by a hacker with ties to the first GandCrab ransomware gang, whose members would eventually form the infamous REvil ransomware group. That hacker, known as Truniger, recruited for Snatch on a series of Russian-language hacking forums throughout that year.

A report from the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI, published in September 2023, detailed the gang’s operations at the time.

“Snatch threat actors have been observed purchasing data previously stolen from other ransomware variants in an attempt to further exploit victims into paying a ransom and prevent their data from being published on the Snatch extortion blog” , CISA said in its alert. The group had also been seen deploying its own malware.

“Before deploying the ransomware, Snatch threat actors were observed spending up to three months on the victim’s system. Within this time period, the Snatch threat actors exploited the victim’s network by moving laterally through the victim’s network with RDP for the largest possible deployment of ransomware and searching for files and folders for data exfiltration followed by file encryption”.

However, the same report goes on to note that the current operators of the Snatch infrastructure, who call themselves Snatch Team, may not be the same group that had been running the ransomware operation.

“Since November 2021, an extortion site operating under the name Snatch served as a clearinghouse for exfiltrated or stolen data from victim companies on Clearnet and TOR hosted on a bulletproof hosting service. In August 2023, people claiming to be associated with the blog gave a media interview stating that the blog was not associated with Snatch ransomware and that “none of our targets have been attacked by Snatch Ransomware…”, despite that data from multiple confirmed Snatch victims appears on the blog along with victims associated with other ransomware groups, notably Nokoyawa and Conti.”

Cybersecurity expert Brian Krebs isn’t so sure those “individuals” were telling the truth.

“…so far, the Snatch team has not been able to explain why it uses the same domain names used by the Snatch ransomware group.” Krebs wrote in a blog post in September 2023, just over two weeks after CISA and the FBI released their report on the gang.

“His claim is even more incredible because members of the Snatch team told Databreaches.net that they didn’t even know a ransomware group with that name already existed when they initially formed just two years ago.

“This is difficult to accept because even if they were a separate group, they would still need to somehow coordinate the transfer of the ransomware group’s domains on the light and dark web. If they were hoping for a new beginning or a breakup, why not just choose a new name and a new web destination?

Krebs’ analysis of the situation is convincing: the group is simply trying to distance itself from its founders, whose operational security has proven rather poor and who appear more benign than their competitors.

“Perhaps Snatch Team does not want to partner with Snatch Ransomware because they currently believe that stealing data and then extorting money from victim companies is somehow less evil than infecting all of the victim’s servers and backups with ransomware,” Krebs said .

“It’s also likely that Snatch Team is well aware of how poorly some of its founders covered their tracks online, and they hope to pick up the pieces on that front.”

That said, the group makes no mention of its .onion leak site on its Telegram channel at all; instead, it said it would post its data breaches on its Clear News website.

For now, however, Snatch is content with stealing and publishing large amounts of personal and private company data, but is now attempting to cover its crimes with a fig leaf of apparent hacktivism.

UPDATE: 04/17/24: Added details from NCSC.

Leave a Reply

Your email address will not be published. Required fields are marked *