Breach Notification , Business Email Compromise (BEC) , Cybercrime
DoppelPaymer Ransomware Slams Supplier to Boeing and Tesla
Crypto-Locking Malware Gang Dumps Confidential Data Stolen From Visser PrecisionRansomware-wielding criminals appear to have hit a Denver-based manufacturer that supplies parts to such organizations as Boeing, Lockheed Martin, Tesla and SpaceX.
See Also: Gartner Guide for Digital Forensics and Incident Response
Visser Precision makes components for the automobile, aerospace and manufacturing industries with milling machines that carve parts from such materials as titanium and aluminum. It has confirmed that it suffered a hack attack.
The company appears to have fallen victim to the DoppelPaymer ransomware group. DoppelPaymer has set up a public website with files from companies it claims it has compromised but have not paid a ransom, and it now lists Visser on that site, together with excerpts of allegedly stolen data. "Stay tuned. LOT of to come by parts,” the website states, suggesting that it has more stolen data ready to leak.
Visser says it's been hit by hackers, although per the identity of its likely attacker, has yet to name names. But the security incident included “access to or theft of data,” the company says in a statement.
Visser says "business is operating normally" and that it's continuing to investigate the attack. "Visser Precision will continue full cooperation with its customer partner companies, but will make no further press comment at this time.”
Lockheed Martin is aware of the attack on Visser and is “following our standard response process for potential cyber incidents related to our supply chain,” the company says in a statement.
“Lockheed Martin has made and continues to make significant investments in cybersecurity, and uses industry-leading information security practices to protect sensitive information,” it adds. “This includes providing guidance to our suppliers, when appropriate, to assist them in enhancing their cybersecurity posture.”
Tesla, SpaceX and Boeing officials did not immediately respond to a request for comment.
Until Recently, Leaks Were Rare
Relatively few hack attacks have led to victims' data being dumped online, with some notable exceptions, including takedowns of surveillance software makers, such as Italy's Hacking Team, by a hacker or group named "PhineasFisher." Prior to that, the group had claimed credit for hacking and leaking data from former FinFisher surveillance software vendor Gamma Group.
Also in 2015, extramarital dating site Ashley Madison was hacked by a group calling itself the Impact Team, which leaked 30 GB of data about subscribers. Exposed information, comprising 36 million accounts, included customer names and email addresses, postal codes, GPS data and their dating preferences (see: Ashley Madison: The Impact of Some Data Breaches Is Forever).
In November 2014, Sony Pictures Entertainment not only suffered a wiper malware attack, but also saw large batches of sensitive internal information get leaked. In that case, a group calling itself the Guardians of Peace claimed credit. But the U.S. government attributed the attack to North Korea (see: Sony Pictures Cyberattack Timeline).
Data Dumping Expands
In recent months, however, many ransomware-wielding gangs have joined the data-dumping club.
In the big picture, ransomware operators' criminal business proposition remains simple: Crypto-lock an organization's files and delete the originals, then demand a ransom in exchange for the promise of a decryption tool to unlock files.
But in an effort to exert even more pressure on victims to pay, in part by trying to name and shame them in public, some ransomware groups are upping the ante by stealing data before they forcibly encrypt everything. Now, they're not only threatening to leak stolen files but actually following through until they receive a ransom payoff (see: Alarming Trend: More Ransomware Gangs Exfiltrating Data).
Visser's Internal Files Apparently Leaked
In the case of DoppelPaymer, the gang has been publishing data from organizations it purportedly compromised, since the middle of last month (see: DoppelPaymer Ransomware Gang Threatens to Dump Victims' Data).
The group's name-and-shame website has at times featured data from more than a dozen organizations, although as of Tuesday it featured data from just six organizations.
“Below you can find private data of the companies which were hacked by DoppelPaymer,” the site reads. “These companies decided to keep the leakage secret. And now their time to pay is over.”
As of Tuesday, the alleged Visser data was featured alongside alleged data from Furniture Row, which is an American furnishing retailer with 330 stores across 31 states. Furniture Row and Visser Precision were both founded by Barry Visser, an entrepreneur who in the 1980s also founded the chain retailer Big Sur Waterbeds.
Dumped data includes what is purportedly Visser's nondisclosure-agreements with both SpaceX and Tesla, as well as sales contact lists, tax forms and receipts. The sales contact lists contain email addresses and phone numbers for individuals working at a variety of companies.
One document appears to be an export license from the U.S. State Department authorizing Visser - and its customer Lockheed Martin - to export drawings and specifications for a small missile.
Groups like DoppelPaymer typically kick off their extortion schemes by publishing older and less sensitive data, holding back newer and perhaps more sensitive data to maintain an incentive for a hacked organization to pay, says Brett Callow, a threat analyst with the security firm Emsisoft.
“This is the equivalent of a kidnapper sending a pinky finger,” Callow says.
Supply Chain Risks
DoppelPaymer has been active since the middle of last year, but Callow says it only started publishing stolen data in the past few days. The tactic follows other ransomware groups, including Maze, Sodinokibi - aka REvil and Sodin - as well as Nemty and Snatch, which are all now threatening to release data from compromised organizations that don't pay (see: Alarming Trend: More Ransomware Gangs Exfiltrating Data).
One downstream effect is that not just victims but victims' partner companies could get caught out, Callow says, such as appears to have happened with organizations that rely on Visser.
“A weakness at any point can put their data at risk, as well as their customers and business partners' data,” Callow says. “In turn, that can put individuals at risk of identity theft, partners at risk of spear phishing, business email compromise scams and other forms of fraud.”
Executive Editor Mathew Schwartz contributed to this story.