Skip links

Copy that? Xerox confirms ‘security incident’ at subsidiary

Xerox has officially confirmed that a cyber baddie broke into the systems of its US subsidiary – a week after INC Ransom claimed to have exfiltrated data from the copier and print giant.

INC Ransom previously said it attacked the org on 29 December, posting “Xerox Corp” to its online leak blog and uploading what it claimed to be an assortment of stolen confidential files, including financial documents and emails.

Xerox Business Solutions (XBS), a subsidiary of Xerox, offers a range of products and services, from managed IT and print services, to robotic process automation (RPA) solutions, and more.

Xerox doesn’t detail XBS’s financials in its annual or quarterly reports, but the company (formerly called Global Imaging Systems) exceeded $1 billion in revenue prior to being acquired by Xerox in 2007.

It’s still undetermined whether ransomware was deployed in the attack, or if the attackers followed the more recent trend of pursuing extortion-only assaults.

Xerox said the “security incident” was isolated to XBS in the US and has since been contained.

“We are actively working with third-party cybersecurity experts to conduct a thorough investigation into this incident and are taking necessary steps to further secure the XBS IT environment,” Xerox’s statement read. “The incident had no impact on Xerox’s corporate systems, operations, or data, and no effect on XBS operations.”

It went on to say that a preliminary investigation indicated that “limited personal information” may have been compromised during the attack, a claim researchers have suggested is more of a certainty than a possibility.

“As per our policy and standard operating procedure, we will notify all affected individuals as required,” the statement added. “The data privacy and protection of our clients, partners, and employees are our highest priority.”

At the time of writing, INC Ransom had removed the post relating to the attack on XBS, including the leaked documents allegedly belonging to the subsidiary.

Posting the details of a victim online is a hallmark of a double extortion cybercrime model – a scare tactic to expedite negotiations of a ransom payment.

The removal of the post could suggest a number of things, but chief among them is that Xerox has re-engaged with INC Ransom over ransom negotiations. A feasible scenario is that Xerox has agreed to re-enter ransom talks in exchange for the stolen data to be taken offline.

If this is the case, Xerox will likely be trying to buy time to recover the files itself rather than having to rely on paying for a decryptor from the cybercrims.

Xerox was allegedly hit by ransomware in 2020 when an attack was claimed by the Maze gang, shortly before it shut down later that year. 

At the time, Maze claimed to have broken in and stolen more than 100GB worth of the company’s data, at a time when Xerox was also caught up in a mass hijacking of major corporations’ subdomains.

The INC Ransom gang is a relative newbie to the threat landscape, first emerging in July 2023, according to SentinelOne. 

The cybersecurity vendor’s experts say the group targets victims indiscriminately, and it has no issues singling out the healthcare industry or educational institutions, as many ransomware gangs also have done throughout the past few years.

Its affiliates are known to demonstrate a range of techniques to achieve initial access to victims’ networks, including the use of spear-phishing emails and critical vulnerabilities in devices such as Citrix NetScalers (CVE-2023-3519, not CitrixBleed). ®