Euro Security Watch with Mathew J. Schwartz

Breach Notification , Critical Infrastructure Security , Cybercrime

Ransomware Gang Goes Nuclear, Hitting US Weapons Contractor

Demanding Ransom, REvil Ransomware Operation Leaks Some Data Stolen From Sol Oriens
Ransomware Gang Goes Nuclear, Hitting US Weapons Contractor
The headquarters of nuclear weapons subcontractor Sol Oriens in Albuquerque, New Mexico (Source: Google Maps)

A small U.S. nuclear weapons contractor has confirmed that it suffered a ransomware attack, resulting in the theft of data. Credit for the attack has been taken by the ransomware-as-a-service operation known as REvil, aka Sodinokibi.

See Also: Ultimate Guide to Modern IT Ops - 4 Keys to Success

Sol Oriens, a Department of Energy National Nuclear Security Administration subcontractor, said Thursday that the attack occurred in May. On June 3, the REvil - aka Sodinokibi - ransomware operation added the company, which is based in Albuquerque, New Mexico, to the list of victims it publishes on its Tor-based website.

"REvil's posting for Sol Oriens didn't even bother to list the company individually, but rather grouped it with two other alleged victims, which suggests the gang thinks it was a relatively minor hit." 

Sol Oriens' LinkedIn profile describes the company as "a small, veteran-owned consulting firm focused on managing advanced technologies and concepts with strong potential for military and space applications."

"Sol Oriens did not take all necessary action to protect personal data of their employees and software developments for partner companies," Revil says in a statement posted to its leak site, delivered with the operation's trademark bluster. "We hereby keep a right to forward all of the relevant documentation and data to military agencies of our choice, including all personal data of employees."

The company couldn't be immediately reached for comment about whether it has received a ransom demand, how much REvil is demanding, and whether it intends to pay. The company's website has been offline since June 3, according to Mother Jones, which first reported news of the attack.

"In May 2021, Sol Oriens became aware of a cybersecurity incident that impacted our network environment," the company tells CNBC in a statement. "The investigation is ongoing, but we recently determined that an unauthorized individual acquired certain documents from our systems. Those documents are currently under review, and we are working with a third-party technological forensic firm to determine the scope of potential data that may have been involved."

Sol Oriens says that at least so far, the material stolen doesn't appear to involve anything with national security implications. "We have no current indication that this incident involves client classified or critical security-related information," it says. "Once the investigation concludes, we are committed to notifying individuals and entities whose information is involved."

REvil Hits Keep Coming

REvil first appeared in 2019 and has continued to attack organizations, especially in the United States, oftentimes first stealing data before leaving systems crypto-locked. The group then attempts to "name and shame" victims into paying by listing them on its "happy blog" data leak site, oftentimes with an extract of stolen data as proof that its attack succeeded.

The FBI recently attributed the ransomware attack against JBS, the world's largest meat processor, which came to light on May 30, to REvil. Underscoring the potential profits that keep driving ransomware attacks, on Wednesday, JBS said it had paid a ransom in cryptocurrency to REvil worth $11 million.

REvil is a RaaS operation, which function not like a traditional street gang or mafia organization, but rather as a "software-as-a-service" offering "built on a culture of mistrust," says Mark Arena, CEO of threat intelligence firm Intel 471.

The operator builds a SaaS portal that allows affiliates to generate a crypto-locking malware executable. In the case of REvil, the operator also maintains a data leak portal and may handle negotiations with victims. Affiliates, who function as independent contractors and may work with multiple RaaS operations at once, use the operator's SaaS portal to generate crypto-locking malware executables, and use them to infect victims.

At least when REvil first began operating in 2019, affiliates received 60% of every ransom paid, rising to 70% after three victims paid.

REvil's posting for Sol Oriens didn't even bother to list the company individually, but rather grouped it with two other alleged victims, which suggests the gang thinks it was a relatively minor hit. The leaked data features two items: part of a job listing for a contractor for the DOE's Los Alamos National Laboratory and wage reports.

Security experts say that before unleashing ransomware, many attackers will just grab whatever data they can easily get their hands on, rather than first undertaking extensive reconnaissance to identify an organization's true crown jewels, as spies might do.

Then again, sometimes, attackers might get lucky and get their hands on more sensitive information or greater quantities of data. But exfiltrating data might also tip off a hacked organization, giving it the opportunity to spot and stop the attack before crypto-locking malware can be unleashed.

Another Alleged Breach Victim: Invenergy

For comparison's sake, Chicago-based power generation and operations company Invenergy got a stand-alone listing, with REvil claiming to have stolen 4 terabytes of data.

Showing its extortionist stripes, REvil's listing for Invenergy claims to have stolen extensive amounts of data: "We have all info from all departments. Projects, contracts, NDA, tax refund, ssn, passports etc, we have them all," the listing reads. Just to increase the pressure, REvil also claims to have stolen embarrassing information from the CEO's computer.

Invenergy didn't immediately respond to a request for comment.

Attacking victims and publicly outing them oftentimes drives journalists to broadcast the hack attack and lawmakers to question the particulars, thus increasing the focus and potentially driving more victims to pay, in advance, to avoid such exposure.

Intel 471's Arena says that is the ideal scenario for criminals: Attackers want a victim to pay to hush up the attack, so no one else ever knows it happened. Operating from the shadows makes attackers less of a target for law enforcement agencies and makes the true scale of the problem more difficult to ascertain.

Sometimes, gangs publicizing attacks can seem to backfire (see: Charm Offensive: Ransomware Gangs 'Tell All' in Interviews).

The DarkSide attack against Colonial Pipeline Co., for example, disrupted an organization that supplies about 45% of the fuel used along the East Coast, and it appeared to help cement at least some political will in the United States to take more aggressive steps to combat ransomware. Notably, the Biden administration has said it will begin to hold the Russian government responsible for allowing criminals working inside its borders to hit U.S. targets.

After the Colonial Pipeline hit, DarkSide in mid-May reported that its infrastructure had been disrupted - it didn't say how - and that it would no longer be working with affiliates. Even so, experts say the operation is likely to lay low for a little while, then rebrand and keep running its attacks.

Likewise, the attack against Ireland's national health service - by the Conti operation - has triggered a public health disaster. Parts of the country, for example, remain unable to access systems for test results, and testing laboratories are working at reduced capacity, the Irish Examiner reports. The scale of the problem is so large that the army has been deployed to help wipe and restore affected systems.

The disruption of critical infrastructure - a major U.S. pipeline and Ireland's national health service being just two of many recent examples - underscores that ransomware is now a national security problem.

The White House has pledged to treat it as such, and says that the government's recently launched Ransomware and Digital Extortion Task Force, based in Washington, will both create a centralized approach and also treat such attacks with the same seriousness with which terrorism gets investigated. The Biden administration has also urged businesses to take ransomware more seriously, treating it not as a data leak threat, but as an existential threat that could have a business-ending impact.

Such moves are welcome - but will they be enough? Until something is done to really disrupt ransomware attacks and arrest perpetrators, the hits will keep on coming.



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.