On 30 April 2019, Snatch hackers allegedly stole over 516 Gb of CityComp.de client information to include automotive giants BMW, MAN, and Volkswagen (including Porsche).  The stolen data may expose the companies’ IT infrastructure to further attacks.  The actors behind the breach were previously seen operating Snatch ransomware.


Figure 1. Volkswagen/Citycomp technicians in the breach data, personal contact information edited out by Wapack Labs.

Citycomp is a Germany-based firm that provides servers, storage, and other computer equipment to large companies.  Snatch hackers claim they broke into Citycomp and stole “312 570 files in 51 025 folders, over 516 Gb data.”  On 30 April 2019, after ransom negotiations with Citycorp were rejected, hackers released a number of stolen documents on their websites: citycompde[.]com and snatchvwddns6zto[.]onion.  Financial, aviation, hospitality, automotive and other industries are among the affected Citycomp clients.  Regarding the automotive industry, hackers published documents relating to BMW, MAN Truck & Bus, Volkswagen and Porsche (Figure 1, 2).


Figure 2. BMW-related datacenter mapped in the Citycomp breach data

Volkswagen was among the most affected, with at least a dozen root folders posted, related to this German automotive company (Figure 3).

Figure 3. Volkswagen-related folders in the Citycomp breach data

Hackers published stolen JPG image files and documents (PDF, Word, Excell, Power Point).  Those files included:

  • Various internal documents regarding processes, equipment and network information,
  • Personnel and supply chain information,
  • Names, emails, phone numbers (Figure 1),
  • Detailed maps for the related facilities from parking to computer location (Figure 2 and 4).

Figure 4. Volkswagen-related maps in the Citycomp breach data

It is likely that only a small portion of the stolen data was released, yet the risk of additional exposure is high.

The attackers used imboristheblade[@]protonmail[.]com for ransom notification, as seen in January 2019 during the initial Snatch ransomware outbreak.  The alias names hackers used in their ransom demands refer to the fictional character Boris "the Blade," former KGB Russian arms-dealer, from the US-based movie “Snatch.”

This breach demonstrates vulnerabilities to the automobile industry from the large corporate company, down to their distributors and dealerships.  


Prepared by:  Yury Polozov
Serial: TR-19-120-002
Report Date: 04302019
Country: DE, US
Industries: Automotive, IT, All

For questions or comments regarding this report, please contact the lab directly by at 603-606-1246, or feedback@wapacklabs.com.

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!

Join Red Sky Alliance