Blue Yonder investigating claims of data theft after ransomware gang gained credit for cyberattack

Supply chain giant Blue Yonder says it is investigating allegations of data theft after a ransomware gang threatened to publish a trove of data stolen from the company.

Arizona-based Blue Yonder, which provides supply chain management software to thousands of organizations including DHL, Starbucks and Walgreens, was hit by a cyberattack on November 21. The company said at the time it was a “ransomware incident” but did not specify. who was the instigator of the attack.

On Friday, the “Termite” ransomware group claimed responsibility for the attack on its dark web leak. In a post seen by TechCrunch, the gang claims to have stolen 680 gigabytes of Blue Yonder data, including documents, reports, insurance documents and an email list, which Termite says it intends to use for “future attacks.”

In a statement provided to TechCrunch, Blue Yonder spokeswoman Marina Renneke said the company “knows who is claiming responsibility.”

“We know that an unauthorized third party claims to have taken some information from our systems,” said Renneke. “We are working diligently with external cybersecurity experts to address these claims. The investigation is ongoing.”

The Termite ransomware gang first emerged earlier this year. Security experts believe the group is a rebranding of the infamous Russia-linked Babuk ransomware group, which has attacked more than 65 times and received $13 million in ransom payments, according to the US Department of Justice.

Threat intelligence firm Cyble noted similarities between the Termite and Babuk ransomware strains, and security researchers at Broadcom spotted the group using a modified version of the Babuk ransomware.

On its dark web leak, where the gang lists six more victims, Termite threatens to publish information allegedly stolen from Blue Yonder “soon.” It is not known whether it has demanded a ransom payment from the company, and Blue Yonder declined to say when contacted by TechCrunch.

Blue Yonder also declined to say how much and what types of data were stolen but did not dispute the claims made by Termite when asked.

In an analysis of the cybersecurity incident page on Friday, Blue Yonder said it “notified the customers affected by the operational disruption and was working with them during the recovery process.”

It is still unknown how many of Blue Yonder’s 3,000-plus customers were affected by the incident. UK supermarkets Morrisons and Sainsbury’s previously confirmed to TechCrunch that they had been affected, while US coffee giant Starbucks said a ransomware attack forced managers to manually calculate staff wages.