A ransomware gang known as Qilin has come forward to claim responsibility for breaking into the IT systems of UK-based publisher and social enterprise the Big Issue Group and stealing confidential data.
According to screengrabs of the gang’s dark web leak site seen by Computer Weekly, Qilin claims to have stolen 550GB of the Big Issue Group’s data, including personnel information, contracts and partner data, financial statements and investment information..
A number of additional screenshots posted to prove the veracity of its claims appear to comprise personal addresses and employee details including passport scans, payroll information, and a recent letter approving a pay rise for a senior executive.
Qilin’s posting, which seems to have been made on Sunday 23 March, did not set a deadline or demand a specific ransom, although it did accuse its victim of wanting to “hide the fact of hacking and leakage of personal data”.
Paul Cheal, group CEO of the Big Issue Group confirmed the organisation had experienced a cyber security incident in the past week.
“On becoming aware of this, we took immediate steps to restrict access to our systems, working with external IT security experts, and the investigation into the incident is ongoing. Thanks to the proactive steps taken, we have been able to begin restoring our systems and are operating with limited disruption. The publication and distribution of the Big Issue magazine is not impacted by this incident,” said Cheal.
Cheal additionally confirmed that as part of the investigation, the group has identified that some data related to the organisation has been posted to the dark web by the attackers. The Big Issue Group is now working alongside external IT experts, as well as the National Cyber Security Centre (NCSC), the National Crime Agency (NCA), and the Metropolitan Police, and has notified the relevant regulatory authorities.
“[We] would like to thank our staff, partners, and suppliers for their patience whilst our investigation continues,” said Cheal. “This is a criminal act against our social activities and the causes we work to promote.
“We exist to support those living at the sharp end of poverty, who are facing barriers to opportunity. Critically our staff are continuing to support our vendors to earn a living by selling the Big Issue magazine, whilst also providing frontline support for vendors with access to advice and services, alongside making social impact lending available to social enterprises and other organisations we work with, ensuring we continue to deliver against our mission to change lives through enterprise.”
The Big Issue was set up in 1991 as a street newspaper sold by homeless people in London, offering them a chance to earn a legitimate income as a first step to put their lives back together.
The brainchild of entrepreneur, campaigner and life peer John Bird, who experienced homelessness as a young man in the 1960s, and business partner Gordon Roddick, husband of Body Shop founder Anita Roddick, The Big Issue has since expanded into one of the UK’s foremost social enterprises advocating for homeless people, and those at risk of becoming homeless.
In addition to publishing a weekly magazine focusing on campaigning and political journalism, it also runs a charitable foundation and an investment arm that supports other charities and NGOs.
Who is Qilin?
A lesser-known ransomware operation for now, Qilin (also known as Agenda) first emerged in 2022, but is becoming more prominent in the wake of recent disruptions experienced by other crews such as LockBit and ALPHV/BlackCat, which have cleared space for other actors to gain attention.
Rebecca Moody, head of data research at Comparitech, said: “In 2023, Qilin was responsible for eight confirmed ransomware attacks across the world, including its attack on Australia’s Court Services Victoria. This year, Qilin appears to have upped the number of claims it has made. According to our data, Qilin has claimed 29 attacks this year so far – none of which have been confirmed yet – four more than it claimed throughout the entire second-half of 2023.”
According to analysis by Group IB, Qilin is built around a ransomware-as-a-service (RaaS) model operating a fairly standard double extortion practice – indeed, in most regards it is a fairly standard Russian-speaking criminal extortion operation.
The gang favours the cross-platform Rust and Golang programming languages, and its initial approaches to victims tend to take the form of targeted spear-phishing emails.
