Charter Industrial Supply, a notable U.S. distributor of industrial machinery and equipment, has been identified as the latest victim of a significant ransomware attack. The industrial supplier, which was acquired by TIPCO Technologies in September 2024, has been listed on the dark web leak site of the notorious ransomware gang known as the “Sarcoma Group.” This breach appears to be the culmination of a series of security vulnerabilities, with employee credentials and sensitive company data having been exposed in multiple data breaches over the past several months.

The Victim: An Expanding Mid-Sized Enterprise

Charter Industrial Supply is a key player in the industrial distribution sector, specializing in hydraulic hoses and fittings. Prior to its acquisition, the West Coast-based company was a family-owned business with an estimated annual revenue of up to $10 million. The recent merger with TIPCO Technologies has significantly expanded its operational footprint, integrating it into a national network with a combined revenue reportedly reaching $35 million. This growth has unfortunately also increased its visibility and attractiveness as a target for cybercriminals.

Anatomy of the Attack: A Trail of Compromised Credentials

The attack on Charter Industrial Supply was likely initiated through credential stuffing, a technique where attackers use login credentials stolen from previous data breaches to gain unauthorized access to other systems. Threat intelligence reveals a consistent pattern of the company’s employee data appearing in various credential leaks throughout 2025.

The trail of exposed data includes multiple instances of employee email addresses and passwords being circulated on the dark web. This consistent leakage of sensitive information provided the Sarcoma Group with the necessary ammunition to penetrate Charter Industrial Supply’s network, exfiltrate sensitive data, and ultimately deploy their ransomware. The appearance of the company on the ransomware group’s leak site indicates that the attackers have stolen data and are using the threat of its public release to extort a ransom payment.

Indicators of Compromise (IOCs)

A number of specific indicators of compromise have been identified in relation to this attack, painting a clear picture of the security failures that led to the breach.

Exposed Credentials:

Multiple employee email addresses and their corresponding passwords were found in various data dumps, including:
(Censored by author)

• Emails:
  • [email protected]
  • [email protected]
  • [email protected]
  • [email protected]
  • [email protected]
  • [email protected]
  • [email protected]
• Exposed Passwords (examples):
  • chXXXXXXX!
  • samXXXXXXXX#
  • ssXXXX!

Source Data Breaches:

The compromised credentials and other sensitive information were found in a number of significant data breaches, including:

• 80M US SSN and DOB Databases Leak (August 2025)
• 88M US Personal Information Database Leak (July 2025)
• 17M LinkedIn Database Collection (September 2025)
• Credential Stuffing List (July, August, September 2025)
• Imdatacenter.com Breach (August 2025)
• Intelx.io Breach (July 2025)
• US Intelligence Leaked by KelvinSec Team (September 2025)

Ransomware Group Dark Web URLs:

The Sarcoma Group has listed Charter Industrial Supply on its dark web site, with the following onion URLs being associated with the breach:

• http://sarcomawmawlhov7o5mdhz4eszxxlkyaoiyiy2b5iwxnds2dmb4jakad.onion
• http://sarcomawmawlhov7o5mdhz4eszxxlkyaoiyiy2b5iwxnds2dmb4jakad.onion/
• http://sarcomawmawlhov7o5mdhz4eszxxlkyaoiyiy2b5iwxnds2dmb4jakad.onion/?page=1
• http://sarcomawmawlhov7o5mdhz4eszxxlkyaoiyiy2b5iwxnds2dmb4jakad.onion/45k4wju2hwdywn3bsgs6mb6izppx6ghq5w3abcp77jz36xnu7sirltid.onion
• http://sarcomawmawlhov7o5mdhz4eszxxlkyaoiyiy2b5iwxnds2dmb4jakad.onion/zaie6jcetdtqhi5epab45wzginog4kuo4sx4nwr4ydkdby76b5ri3xqd.onion