Site icon NAS Compares

Western Digital Cyber Incident Update- WHAT HAPPENED??

WD Hit By Cyber Attack. WD My Cloud Offline, WD Shop Down – What Happened?

It has now been 20 days since WD initially identified that it was hit by a massively impactful cyber security incident on March 26th. Although further details on the nature of the incident, the impact in terms of data loss/theft and where they are at in terms of their investigations have not been especially forth-coming from the brand, we have learnt quite alot regarding from the hackers themselves (thanks to some fantastic work from the guys over at TechCrunch here). However, data leaks by Western Digital and how much of the impacted data is consumer based is only half the story. For 10 days, we saw the WD My Cloud remote cloud services suspended, which has been a fantastically large pain in the bum the thousands upon thousands o fWD My Cloud users who suddenly found that the NAS in their possession was suddenly a remarkably large paperweight. Access to the My Cloud services has now been restored and in this downtime period they did direct users on how to allow local/LAN access on their systems that are chiefly built around remote access being the default state (which, side note, results in switching this over being way too complicated when compared to other NAS systems – see here). But what happened? What do we know? What do the hackers in question say they got away with and want in return? Let’s go over everything we know after.

When did the Western Digital Data Breach Take Place?

Western Digital first shared news of the breach on April 3rd 2023, detailing that the breach had occurred on Sunday, March 26th 2023. 

A Message from Western Digital via Newswire:

  • SAN JOSE, Calif.–(BUSINESS WIRE)–Western Digital Corp. (NASDAQ: WDC) today provided information regarding a network security incident involving some of its systems and the Company’s active response to this matter.

    On March 26, 2023, Western Digital identified a network security incident involving Western Digital’s systems. In connection with the ongoing incident, an unauthorized third party gained access to a number of the Company’s systems.

    Upon discovery of the incident, the Company implemented incident response efforts and initiated an investigation with the assistance of leading outside security and forensic experts. This investigation is in its early stages and Western Digital is coordinating with law enforcement authorities.

    The Company is implementing proactive measures to secure its business operations including taking systems and services offline and will continue taking additional steps as appropriate. As part of its remediation efforts, Western Digital is actively working to restore impacted infrastructure and services. Based on the investigation to date, the Company believes the unauthorized party obtained certain data from its systems and is working to understand the nature and scope of that data.

    While Western Digital is focused on remediating this security incident, it has caused and may continue to cause disruption to parts of the Company’s business operations.

    The Company will provide updates as appropriate.

In the time that has passed since this original official provided an update, several cloud/remote-based services had their access suspended (although most have been re-established as of 14th March 2023) and the WD eShop has been partially re-established, but order placement is not possible. We are still awaiting further details from Western Digital regarding the nature of the cyber incident, the impact of data that has been accessed and to what extent this is internal vs end-user data. That said, a group who claim responsibility have since detailed over on TechCrunch that the data taken is around 10TB, showed evidence of files that contained WDs own code-signing certificates that have been verified by two security researchers and demanded a “minimum 8 figures” to prevent the stolen data being published.

This isn’t the first time a Western Digital breach has compromised customer files. Back in 2021, we saw the mass wiping remote attack of many WD My Book Live and WD My Book Live Duo NAS systems (HERE), impacting resulting in a loss of estimated petabytes of WD end-user data. This resulted in WD providing free data recovery services, ongoing support where appropriate and changes to their policy around a trade-in program for My Book Live owners in order to reinstate services. Below is my video where we covered the WD My Book Live / My Book Live Duo Remote Hack Attack in June 2021:

Was Any Data Stolen in the WD Data Breach?

When asked, WD was pretty tight-lipped on this, offering just “This investigation is in its early stages and Western Digital is coordinating with law enforcement authorities”, on the 3rd April. Going on further, they added that “Western Digital identified a network security incident involving Western Digital’s systems. In connection with the ongoing incident, an unauthorized third party gained access to a number of the Company’s systems.” via BusinessWire, they added “The Company is implementing proactive measures to secure its business operations including taking systems and services offline and will continue taking additional steps as appropriate. As part of its remediation efforts, Western Digital is actively working to restore impacted infrastructure and services. Based on the investigation to date, the Company believes the unauthorized party obtained certain data from its systems and is working to understand the nature and scope of that data.”

However, according to Lorenzo Franceschi-Bicchierai over on TechCrunch, the perpetrators who managed to infiltrate and hack Western Digital claim to have stolen around 10TB of data from the company, including extensive customer information. They are pushing the company to negotiate a ransom — of a “minimum 8 figures” — in exchange for not publishing the stolen data. speaking with TechCrunch and the representative of the hack shared a file that was digitally signed with Western Digital’s code-signing certificate, showing they could now digitally sign files to impersonate Western Digital. Two security researchers also looked at the file and agreed it is signed with the company’s certificate.

The hackers also shared phone numbers allegedly belonging to several company executives. TechCrunch called the numbers. Most of the calls rang but went to automated voicemail messages. Two of the phone numbers had voicemail greetings that mentioned the names of the executives that the hackers claimed were associated with the numbers. The two phone numbers are not public. Screenshots shared by the hacker show a folder from a Box account apparently belonging to Western Digital, an internal email, files stored in a PrivateArk instance (a cybersecurity product) and a screenshot of a group call where one of the participants is identified as Western Digital’s chief information security officer. They also said they were able to steal data from the company’s SAP Backoffice, a back-end interface that helps companies manage e-commerce data.

Again, rather than just continue to repeat their coverage, I cannot recommend enough that you read the original TechCrunch Article by clicking below. It’s a real eye-opener!

If Western Digital doesn’t get back to them, the group have stated that they are ready to start publishing the stolen data on the website of the ransomware gang, Alphv. The hacker said they are not directly affiliated with Alphv but “I know them to be professional.”

What Has This Attack Got To Do With WD My Cloud?

On April 2nd 2023, WD suspended access to several of its services and stated that it is attempting to ensure secure access long-term, but also assess the severity of the data accessed and investigate the threat actor methodology. This was (lightly) indicated in the official The My Cloud status pages, indicating that the cloud, proxy, web, authentication, emails, and push notification services were taken down, although Western Digital could not specify which specific services are affected or directly culpable in the original cyber incident. WD went on to detail that key devices in their range that would ne affected by them suspending access to these cloud services were the WD My Cloud, My Cloud Home, My Cloud Home Duo, My Cloud OS5, SanDisk ibi, and SanDisk Ixpand Wireless systems. It needs to be reiterated that it was NOT the cyber attackers that ‘took down’ the cloud services, but that Western Digital themselves took its My Cloud consumer cloud and backup service offline in it’s further investigates internally as a matter or security long-term, as a result of the data breach of the company’s systems, and it remained down for 10 days.

From the WD My Cloud Status Page:

  • Service Outage – HERE

    07 Apr 2023

    Product Owners of My Cloud Home, My Cloud Home Duo, and SanDisk ibi,

    We are currently experiencing a service interruption that is preventing files access and use of the applications provided for your product, including the mobile, desktop, and web apps. During this service interruption, you may now access files stored locally on your device using a feature called Local Access.

    The Local Access feature allows you to directly access your personal files from a Windows or MacOS computer that is connected to the same network as your device. To enable Local Access, use your favorite browser and connect to your device’s Dashboard. Then enable the Local Access feature and create a new Local Access account. For more detailed instructions and walk-thru video, visit this knowledge base article.

    For the My Cloud OS5 (My Cloud PR series and EX series) products, local access is already enabled and functional.

    We continue to make every effort to restore all services as quickly as possible and will provide updates as we have them. We apologize for any inconvenience and appreciate the patience of our user community as we continue our urgent efforts to restore all services.

To enable local-only access, follow this guide HERE. Alternatively, you can use the official WD video below to guide you through the process:

Owners being able to enable local access on any Windows or macOS computer that is connected to the same network as their WD My Cloud is better than nothing, but for many users who have been using their NAS ‘out the box’ with cloud access as standard, this might be something of an abrupt change. Users need to create a specific Local Access account and configure cloud-free access in a much more conveluded way than I have seen in Synology and QNAP systems. On the face of it, these recent events and changes in the WD My Cloud remote access are sensible, as precautionary measures as a result of this cyber security incident, attempting to further prevent unauthorized parties from accessing data from the company’s systems. Nevertheless, there is no denying that existing MyCloud users have grown particularly loud in their criticism of WD, as their data remains in a (at best) difficult-to-access state.

Are WD My Cloud Services Back Online?

Yes, as of 12th April 2023, WD My Cloud Access has since been restored (see tweet below):

Likewise, the service status pages from the WD official pages have since been updated:

From the WD My Cloud Status Page:

  • Service Outage – HERE

    • Service Outage

      12 Apr 2023

      Services are back online and fully operational.

While that has now been restored, Western Digital’s global store had something of a bumpy road too. For a while, it did not allow any kind of access, detailing a familiar ‘down for maintenance’ style message when visited. This has been improved now, but not resolved. WD still remain very tight-lipped on the event, but hopefully, we will get some more meaningful post-analysis about this incident later. The big, BIG question of course, surrounds the details of the leaked data. I do NOT think the data is lost (WD likely has 10 kinds of backup running at any time!) but it would seem that data has certainly been accessed and taken. As of 14th April, the WD Shop, although up and running, does not allow any kind of order fulfilment/purchasing – pushing orders through to recommended resellers in all regions. This is not unusual (especially when stock of a particular SKU/Model is not in WD central stock), but to have this across the entire eStore is disconcerting to say the least!

Were you impacted by the recent WD My Cloud Service outage? Or are you STILL being impacted by it? Please share your thoughts and input in the comments below. Have a great weekend, and Backup, Backup, BACKUP!

If this incident has been the tipping point for you to make a move away from the WD My Cloud NAS platform, or you already have an older generation WD My Cloud system that is no longer supported in security and/or feature updates in the latest WD OS versions, you can use this article HERE to choose an appropriate Synology or QNAP NAS. Alternatively, you can watch the video below:

📧 SUBSCRIBE TO OUR NEWSLETTER 🔔


    🔒 Join Inner Circle

    Get an alert every time something gets added to this specific article!


    Want to follow specific category? 📧 Subscribe

    This description contains links to Amazon. These links will take you to some of the products mentioned in today's content. As an Amazon Associate, I earn from qualifying purchases. Visit the NASCompares Deal Finder to find the best place to buy this device in your region, based on Service, Support and Reputation - Just Search for your NAS Drive in the Box Below

    Need Advice on Data Storage from an Expert?

    Finally, for free advice about your setup, just leave a message in the comments below here at NASCompares.com and we will get back to you. Need Help? Where possible (and where appropriate) please provide as much information about your requirements, as then I can arrange the best answer and solution to your needs. Do not worry about your e-mail address being required, it will NOT be used in a mailing list and will NOT be used in any way other than to respond to your enquiry.

      By clicking SEND you accept this Privacy Policy
      Question will be added on Q&A forum. You will receive an email from us when someone replies to it.
      🔒Private Fast Track Message (1-24Hours)

      TRY CHAT Terms and Conditions
      If you like this service, please consider supporting us. We use affiliate links on the blog allowing NAScompares information and advice service to be free of charge to you.Anything you purchase on the day you click on our links will generate a small commission which isused to run the website. Here is a link for Amazon and B&H.You can also get me a ☕ Ko-fi or old school Paypal. Thanks!To find out more about how to support this advice service check HEREIf you need to fix or configure a NAS, check Fiver Have you thought about helping others with your knowledge? Find Instructions Here  
       
      Or support us by using our affiliate links on Amazon UK and Amazon US
          
       
      Alternatively, why not ask me on the ASK NASCompares forum, by clicking the button below. This is a community hub that serves as a place that I can answer your question, chew the fat, share new release information and even get corrections posted. I will always get around to answering ALL queries, but as a one-man operation, I cannot promise speed! So by sharing your query in the ASK NASCompares section below, you can get a better range of solutions and suggestions, alongside my own.

      ☕ WE LOVE COFFEE ☕

       

      Exit mobile version