HVD.HOST

Summary

The Black Basta ransomware gang compromised a cloud-based hosting service identified only as "hvd.host" in March 2024, affecting approximately 13 Australian companies. The gang posted dozens of Australian passports and driver's licenses to the dark web and threatened to publish data from affected businesses if ransom demands were not met by 9 March 2024. This supply chain attack exposed highly sensitive identity documents from multiple organizations using the hosting service.

What Happened

Black Basta ransomware gang breached the infrastructure of HVD.HOST, a cloud-based hosting service provider, gaining access to data from at least 13 customer organizations. The attackers exfiltrated sensitive documents including Australian passports and driver's licenses from companies hosted on the platform. Black Basta posted details on their darknet leak site with a deadline of 9 March 2024 for ransom payment. The gang referred to the victim only as "hvd.host" without disclosing the hosting service's full identity.

Impact on Individuals

This supply chain attack exposed highly sensitive government identity documents from employees and customers of the 13 affected companies. The compromised data included:

• Australian passports
• Driver's licenses
• Business and employee information

Affected individuals should:

• Monitor passport status and report any fraudulent use to the Department of Foreign Affairs and Trade
• Check driver's license status with their state authority
• Place a ban on credit files to prevent identity theft
• Be extremely alert for targeted identity fraud using the combination of documents
• Watch for scams targeting employees or customers of the affected companies

The exposure of government identity documents creates severe risk of identity theft that cannot be easily remediated since these documents cannot be changed like passwords.

Organisational Response

The affected organizations included Australian Textiles, Ausweave, Bart Group, Bruck, OPT, Wilson Fabrics, Knoxbridge, Nova Employment, Xenit, and Advanced CS, among others. Black Basta operates under a ransomware-as-a-service model and has been active since at least April 2022, with affiliates claiming more than 40 victims in 2024 alone. This incident highlights the cascading risk of hosting provider breaches, where a single compromise can expose data from multiple organizations simultaneously.