Search...

REvil Hits US Nuclear Weapons Contractor: Report

2021-06-11T18:16:45

ID THREATPOST:1D211DDD347C14ABC5296A02FB0B3BCB
Type threatpost
Reporter Lisa Vaas
Modified 2021-06-11T18:16:45

Description

Sol Oriens, a subcontractor for the U.S. Department of Energy (DOE) that works on nuclear weapons with the National Nuclear Security Administration (NNSA), last month was hit by a cyberattack that experts say came from the relentless REvil ransomware-as-a-service (RaaS) gang.

The Albuquerque, N.M. company’s website has been unreachable since at least June 3, but Sol Oriens officials confirmed to Fox News and to CNBC that the firm became aware of the breach sometime last month.

The company’s statement, captured in a Tweet stream posted by CNBC’s Eamon Javers on Thursday:

> “In May 2021, Sol Oriens became aware of a cybersecurity incident that impacted our network environment. The investigation is ongoing, but we recently determined that an unauthorized individual acquired certain documents from our systems. Those documents are currently under review, and we are working with a third-party technological forensic firm to determine the scope of potential data that may have been involved. We have no current indication that this incident involves client classified or critical security-related information. Once the investigation concludes, we are committed to notifying individuals and entities whose information is involved …”

As Javers noted, “we don’t know everything this small company does,” but he posted a sample job posting that indicates that it handles nuclear weapons issues: “Senior Nuclear Weapon System Subject Matter. Expert with more than 20 years of experience with nuclear weapons like the W80-4.” The W80 is a type of nuclear warhead carried on air-launched cruise missiles.

According to an archived version and its LinkedIn profile, Sol Oriens is a “small, veteran-owned consulting firm focused on managing advanced technologies and concepts with strong potential for military and space applications” that works with the “Department of Defense and Department of Energy Organizations, Aerospace Contractors, and Technology Firms (sic) carry out complex programs. … We focus on ensuring that there are well-developed technologies available to maintain a strong National Defense.”

What Was Stolen

Brett Callow, a threat analyst and ransomware expert at the security firm Emsisoft, told Mother Jones that he had spotted Sol Oriens’s internal information posted to the REvil’s dark web blog.

At least for now, the data seems benign enough: It reportedly shows what Mother Jones described as “a company payroll form from September 2020, outing a handful of employees’ names, social security numbers, and quarterly pay. There’s also a company contracts ledger, and a portion of a memo outlining worker training plans. (The memo has Department of Energy and NNSA Defense Programs logos at the top.)”

Whether REvil – or whichever gang proves to be responsible for the attack – got its hands on more sensitive, secret information about the country’s nuclear weapons remains to be seen. But the fact that it got anything at all is, of course, deeply concerning. As Mother Jones pointed out, the NNSA is responsible for maintaining and securing the nation’s nuclear weapons stockpile and works on nuclear applications for the military, along with other highly sensitive missions.

Given all that responsibility, shouldn’t subcontractors’ security profiles be tight enough to fend off REvil or other cyberattackers? REvil reportedly blamed the victim, wagging its finger at Sol Oriens by writing that the subcontractor “did not take all necessary action to protect personal data of their employees and software development for partner companies.” The gang of cyberattackers wrote that above two screenshots of purportedly stolen data, adding that …

> We hereby keep a right (sic) to forward all of the relevant documentation and data to military agencies of our choise (sic), including all personal data of employees.

Threatpost has reached out for comments from the DOE. A spokesperson for the DOE declined to comment to Mother Jones. The news outlet also reached out to a spokesperson for the FBI’s Albuquerque Field Office, who refused to either confirm or deny that the agency was investigating the matter.

The ‘Relentless’ REvil

It wouldn’t be surprising if initial reports of REvil being responsible prove accurate. The RaaS group’s ambitions are apparently boundless. Earlier this week, an official of JBS Foods confirmed that the company paid the equivalent of $11 million in ransom after a cyberattack that forced the company to shut down some operations in the United States and Australia over the Memorial Day weekend.

REvil is known for both audacious attacks on the world’s biggest organizations and suitably astronomical ransoms. In April, it put the squeeze on Apple just hours before its splashy new product launch, demanding a whopping $50 million extortion fee: a bold move, even for the notorious ransomware-as-a-service (RaaS) gang. The original attack was launched against Quanta, a Global Fortune 500 manufacturer of electronics, which claims Apple among its customers. The Taiwanese-based company was contracted to assemble Apple products, including Apple Watch, Apple Macbook Air and Pro, and ThinkPad, from an Apple-provided set of design schematics.

FireEye researchers have also reported that the actors who’ve claimed to have access to the SolarWinds network have included one with links to the REvil/Sodinokibi ransomware gang, though that doesn’t necessarily make it true.

REvil’s reported chiding begs the question: Although it’s unclear what data the attackers managed to access, if we take the gang’s words at face value that it stole what it claims to have stolen, then what “necessary action” to protect employees’ purportedly compromised personal data and software development information could Sol Oriens have done to fend off this attack?

The answer, unfortunately, is probably as varied as the group’s relentlessness, persistence and whatever-it-takes tactics. On Friday, cybersecurity firm Sophos issued a report detailing how, as the firm puts it, “No two criminal groups deploy the [RaaS] … in exactly the same way.”

In one recent attack, for example, the targeted organization “logged a massive volume of failed inbound RDP login attempts targeting the server which eventually because a point of access for the attackers,” Sophos researchers wrote. “On a typical server, the log that stores failed attempts to login to services like RDP rolls over, overwriting the oldest data, over a period of from several days to weeks depending on how many failed attempts were made. In this attack, the volume of failed RDP login events caused the log files to completely overwrite themselves with new entries every five minutes. The data collected from that server showed approximately 35,000 failed login attempts over a five minute period, originating from 349 unique IP addresses around the world.”

Among the 35,000 brute-force login attempts made every five minutes, these were the most common usernames the attackers tried to use. Source: Sophos

The researchers noted that RDP “was implicated as one of the most common methods of breaching a network in cases we were called in to investigate, which is why shutting off the outside world’s access to RDP is one of the most effective defenses an IT admin can take.”

Unfortunately, defense isn’t as simple as shutting off RDP, given the variability of techniques used by the gang’s affiliates, they wrote. “RDP was not the only culprit: attackers also gained initial access through other internet-facing services they were able to brute-force or to launch an exploit against a known vulnerability that gave them some access. In one case, the attacker targeted a bug in a specific VPN server software to gain initial access, then exploited a bug on a five-year-old version of Apache Tomcat on the same server that let the attacker create a new admin account on the server.”

Andrew Brandt, a principal researcher for Sophos, told Threatpost on Friday that the part of an attack where a network gets broken into is handled by affiliates or customers of the REvil software developers. As such, “the attackers’ skills and motivations may be different from incident to incident,” he said in an email.

Those affiliates aren’t necessarily out to do something as drastic as to steal nuclear secrets. It’s often far more random than that, Brandt said. “In many cases, we suspect that the attackers are just looking for targets of opportunity, but because there’s a diversity of affiliates and they may have different levels of skill and ability to target specific industries or organizations, it’s entirely possible this organization was specifically targeted. We just don’t know,” he said.

In the end, the “all necessary action” that the REvil gang referred to would include all of the recommendations that Sophos put in the tail end of its REvil report, Brandt continued. “Companies and organizations of all sizes and in all industries need to take a hard look at their own infrastructure and take whatever actions are necessary to close off those ‘low hanging fruit’ problems that are nearly always at the root cause of these kinds of breaches,” he said. “Closing off public-facing services like RDP at the firewall; enabling multi-factor authentication at all internal and externally-facing services, like VPNs; ensuring that internet-facing devices and servers are fully up to date with patches or fixes for known bugs, even if that means some downtime.”

Brandt noted that Sophos gives this advice “again and again” because, time and time again, “These have been the methods that criminals use to break into organizations. The attackers will never stop trying to find ways around those weak spots in the organization’s security posture. Defenders need to get out their metaphorical dental picks and start scraping away the cruft that’s putting their organization at risk. The alternative is to become a victim.”

Consequences for Bold, Dangerous Cyberattacks?

David Bishop, CISO of global managed security services company Trustwave, opined that we need “more serious repercussions” for this type of attack. “We’re seeing advanced adversaries getting much bolder with who they are attacking, how they are blackmailing the targeted organization, and how they are monetizing their stolen goods,” he told Threatpost in an email on Friday.

“Most of these organized groups are financially motivated, but if these types of attackers shift their motivation from monetary to malicious, we should expect severe real-world outcomes.,” Bishop continued. “We’ve only seen the tip of the iceberg in terms of the real-world effects with the cyber-attacks on JBS and Colonial Pipeline. The public and private sectors need to closely coordinate on what we can accomplish in terms of hard legal or offensive action to combat these threats – otherwise, these adversaries will continue to attack at will.”

061121 17:43 UPDATE: Added input from Sophos’s Andrew Brandt.

Download our exclusive FREE Threatpost Insider eBook, ***“2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!*

JSON Vulners Source

Initial Source

{"id": "THREATPOST:1D211DDD347C14ABC5296A02FB0B3BCB", "type": "threatpost", "bulletinFamily": "info", "title": "REvil Hits US Nuclear Weapons Contractor: Report", "description": "Sol Oriens, a subcontractor for the U.S. Department of Energy (DOE) that works on nuclear weapons with the National Nuclear Security Administration ([NNSA](<https://www.energy.gov/nnsa/national-nuclear-security-administration>)), last month was hit by a cyberattack that experts say came from the relentless [REvil](<https://threatpost.com/revil-spill-details-us-attacks/166669/>) ransomware-as-a-service (RaaS) gang.\n\nThe Albuquerque, N.M. company\u2019s website has been unreachable since at least June 3, but Sol Oriens officials confirmed to [Fox News](<https://foxwilmington.com/headlines/contractor-that-does-nuclear-weapons-related-works-for-energy-department-hit-by-ransomware/>) and to [CNBC](<https://www.rawstory.com/russia-cyberattack-sol-oriens/>) that the firm became aware of the breach sometime last month.\n\nThe company\u2019s statement, captured in a [Tweet stream](<https://twitter.com/EamonJavers/status/1403094484779339783>) posted by CNBC\u2019s Eamon Javers on Thursday:\n\n> \u201cIn May 2021, Sol Oriens became aware of a cybersecurity incident that impacted our network environment. The investigation is ongoing, but we recently determined that an unauthorized individual acquired certain documents from our systems. Those documents are currently under review, and we are working with a third-party technological forensic firm to determine the scope of potential data that may have been involved. We have no current indication that this incident involves client classified or critical security-related information. Once the investigation concludes, we are committed to notifying individuals and entities whose information is involved \u2026\u201d\n\nAs Javers noted, \u201cwe don\u2019t know everything this small company does,\u201d but he posted a [sample job posting](<https://lensa.com/senior-nuclear-weapon-system-subject-matter-expert-jobs/albuquerque-nm/hjp/625db000af48ec9d44076c26639e92a4986d2d91a2b45d2887ac1e0851512029>) that indicates that it handles nuclear weapons issues: \u201cSenior Nuclear Weapon System Subject Matter. Expert with more than 20 years of experience with nuclear weapons like the W80-4.\u201d The [W80](<https://www.gao.gov/products/gao-20-409>) is a type of nuclear warhead carried on air-launched cruise missiles.\n\nAccording to an archived version and its [LinkedIn profile](<https://www.linkedin.com/company/sol-oriens-llc/about/>), Sol Oriens is a \u201csmall, veteran-owned consulting firm focused on managing advanced technologies and concepts with strong potential for military and space applications\u201d that works with the \u201cDepartment of Defense and Department of Energy Organizations, Aerospace Contractors, and Technology Firms (sic) carry out complex programs. \u2026 We focus on ensuring that there are well-developed technologies available to maintain a strong National Defense.\u201d\n\n## What Was Stolen\n\nBrett Callow, a threat analyst and ransomware expert at the security firm Emsisoft, told [Mother Jones](<https://www.motherjones.com/politics/2021/06/ransomware-attacks-are-hitting-small-business-and-some-of-them-are-military-subcontractors/>) that he had spotted Sol Oriens\u2019s internal information posted to the REvil\u2019s dark web blog.\n\nAt least for now, the data seems benign enough: It reportedly shows what Mother Jones described as \u201ca company payroll form from September 2020, outing a handful of employees\u2019 names, social security numbers, and quarterly pay. There\u2019s also a company contracts ledger, and a portion of a memo outlining worker training plans. (The memo has Department of Energy and NNSA Defense Programs logos at the top.)\u201d\n\nWhether REvil \u2013 or whichever gang proves to be responsible for the attack \u2013 got its hands on more sensitive, secret information about the country\u2019s nuclear weapons remains to be seen. But the fact that it got anything at all is, of course, deeply concerning. As Mother Jones pointed out, the NNSA is responsible for maintaining and securing the nation\u2019s nuclear weapons stockpile and works on nuclear applications for the military, along with [other highly sensitive missions.](<https://www.thedrive.com/the-war-zone/35197/the-department-of-energy-may-be-the-best-place-to-keep-a-secret>)\n\nGiven all that responsibility, shouldn\u2019t subcontractors\u2019 security profiles be tight enough to fend off REvil or other cyberattackers? REvil reportedly blamed the victim, wagging its finger at Sol Oriens by writing that the subcontractor \u201cdid not take all necessary action to protect personal data of their employees and software development for partner companies.\u201d The gang of cyberattackers wrote that above two screenshots of purportedly stolen data, adding that \u2026\n\n> We hereby keep a right (sic) to forward all of the relevant documentation and data to military agencies of our choise (sic), including all personal data of employees.\n\nThreatpost has reached out for comments from the DOE. A spokesperson for the DOE declined to comment to Mother Jones. The news outlet also reached out to a spokesperson for the FBI\u2019s Albuquerque Field Office, who refused to either confirm or deny that the agency was investigating the matter.\n\n## The \u2018Relentless\u2019 REvil\n\nIt wouldn\u2019t be surprising if initial reports of REvil being responsible prove accurate. The RaaS group\u2019s ambitions are apparently boundless. Earlier this week, an official of JBS Foods confirmed that the company paid the equivalent of [$11 million in ransom](<https://threatpost.com/jbs-paid-11m/166767/>) after a [cyberattack](<https://threatpost.com/revil-ransomware-ground-down-jbs-sources/166597/>) that forced the company to shut down some operations in the United States and Australia over the Memorial Day weekend.\n\nREvil is known for both audacious attacks on the world\u2019s biggest organizations and suitably astronomical ransoms. In April, it [put the squeeze on Apple](<https://threatpost.com/revil-apple-ransomware-pay-off/165570/>) just hours before its splashy new product launch, demanding a whopping $50 million extortion fee: a bold move, even for the notorious ransomware-as-a-service (RaaS) gang. The original [attack was launched against Quanta](<https://therecord.media/ransomware-gang-tries-to-extort-apple-hours-ahead-of-spring-loaded-event/>), a Global Fortune 500 manufacturer of electronics, which claims Apple among its customers. The Taiwanese-based company was contracted to assemble Apple products, including Apple Watch, Apple Macbook Air and Pro, and ThinkPad, from an Apple-provided set of design schematics.\n\nFireEye researchers have also reported that the actors who\u2019ve claimed to have access to the [SolarWinds](<https://threatpost.com/solarwinds-hack-seismic-shift/165758/>) network have included one with [links to the REvil/Sodinokibi ransomware gang](<https://www.computerweekly.com/news/252493790/FireEye-and-partners-release-SolarWinds-kill-switch>), though that doesn\u2019t necessarily make it true.\n\nREvil\u2019s reported chiding begs the question: Although it\u2019s unclear what data the attackers managed to access, if we take the gang\u2019s words at face value that it stole what it claims to have stolen, then what \u201cnecessary action\u201d to protect employees\u2019 purportedly compromised personal data and software development information could Sol Oriens have done to fend off this attack?\n\nThe answer, unfortunately, is probably as varied as the group\u2019s relentlessness, persistence and whatever-it-takes tactics. On Friday, cybersecurity firm Sophos issued a [report](<https://news.sophos.com/en-us/2021/06/11/relentless-revil-revealed/>) detailing how, as the firm puts it, \u201cNo two criminal groups deploy the [RaaS] \u2026 in exactly the same way.\u201d\n\nIn one recent attack, for example, the targeted organization \u201clogged a massive volume of failed inbound RDP login attempts targeting the server which eventually because a point of access for the attackers,\u201d Sophos researchers wrote. \u201cOn a typical server, the log that stores failed attempts to login to services like RDP rolls over, overwriting the oldest data, over a period of from several days to weeks depending on how many failed attempts were made. In this attack, the volume of failed RDP login events caused the log files to completely overwrite themselves with new entries every five minutes. The data collected from that server showed approximately 35,000 failed login attempts over a five minute period, originating from 349 unique IP addresses around the world.\u201d\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/06/11124458/Relentless.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/06/11124458/Relentless.png>)\n\nAmong the 35,000 brute-force login attempts made every five minutes, these were the most common usernames the attackers tried to use. Source: Sophos\n\nThe researchers noted that RDP \u201cwas implicated as one of the most common methods of breaching a network in cases we were called in to investigate, which is why shutting off the outside world\u2019s access to RDP is one of the most effective defenses an IT admin can take.\u201d\n\nUnfortunately, defense isn\u2019t as simple as shutting off RDP, given the variability of techniques used by the gang\u2019s affiliates, they wrote. \u201cRDP was not the only culprit: attackers also gained initial access through other internet-facing services they were able to brute-force or to launch an exploit against a known vulnerability that gave them some access. In one case, the attacker targeted a bug in a specific VPN server software to gain initial access, then exploited a bug on a five-year-old version of Apache Tomcat on the same server that let the attacker create a new admin account on the server.\u201d\n\nAndrew Brandt, a principal researcher for Sophos, told Threatpost on Friday that the part of an attack where a network gets broken into is handled by affiliates or customers of the REvil software developers. As such, \u201cthe attackers\u2019 skills and motivations may be different from incident to incident,\u201d he said in an email.\n\nThose affiliates aren\u2019t necessarily out to do something as drastic as to steal nuclear secrets. It\u2019s often far more random than that, Brandt said. \u201cIn many cases, we suspect that the attackers are just looking for targets of opportunity, but because there\u2019s a diversity of affiliates and they may have different levels of skill and ability to target specific industries or organizations, it\u2019s entirely possible this organization was specifically targeted. We just don\u2019t know,\u201d he said.\n\nIn the end, the \u201call necessary action\u201d that the REvil gang referred to would include all of the recommendations that Sophos put in the tail end of its REvil report, Brandt continued. \u201cCompanies and organizations of all sizes and in all industries need to take a hard look at their own infrastructure and take whatever actions are necessary to close off those \u2018low hanging fruit\u2019 problems that are nearly always at the root cause of these kinds of breaches,\u201d he said. \u201cClosing off public-facing services like RDP at the firewall; enabling multi-factor authentication at all internal and externally-facing services, like VPNs; ensuring that internet-facing devices and servers are fully up to date with patches or fixes for known bugs, even if that means some downtime.\u201d\n\nBrandt noted that Sophos gives this advice \u201cagain and again\u201d because, time and time again, \u201cThese have been the methods that criminals use to break into organizations. The attackers will never stop trying to find ways around those weak spots in the organization\u2019s security posture. Defenders need to get out their metaphorical dental picks and start scraping away the cruft that\u2019s putting their organization at risk. The alternative is to become a victim.\u201d\n\n## Consequences for Bold, Dangerous Cyberattacks?\n\nDavid Bishop, CISO of global managed security services company Trustwave, opined that we need \u201cmore serious repercussions\u201d for this type of attack. \u201cWe\u2019re seeing advanced adversaries getting much bolder with who they are attacking, how they are blackmailing the targeted organization, and how they are monetizing their stolen goods,\u201d he told Threatpost in an email on Friday.\n\n\u201cMost of these organized groups are financially motivated, but if these types of attackers shift their motivation from monetary to malicious, we should expect severe real-world outcomes.,\u201d Bishop continued. \u201cWe\u2019ve only seen the tip of the iceberg in terms of the real-world effects with the cyber-attacks on JBS and Colonial Pipeline. The public and private sectors need to closely coordinate on what we can accomplish in terms of hard legal or offensive action to combat these threats \u2013 otherwise, these adversaries will continue to attack at will.\u201d\n\n061121 17:43 UPDATE: Added input from Sophos\u2019s Andrew Brandt.\n\n**Download our exclusive FREE Threatpost Insider eBook, ****_\u201c_**[**_2021: The Evolution of Ransomware_**](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)**_,\u201d_**** to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what\u2019s next for ransomware and the related emerging risks. Get the whole story and **[**DOWNLOAD**](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)** the eBook now \u2013 on us!**\n", "published": "2021-06-11T18:16:45", "modified": "2021-06-11T18:16:45", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://threatpost.com/revil-hits-us-nuclear-weapons-contractor-sol-oriens/166858/", "reporter": "Lisa Vaas", "references": ["https://www.energy.gov/nnsa/national-nuclear-security-administration", "https://threatpost.com/revil-spill-details-us-attacks/166669/", "https://foxwilmington.com/headlines/contractor-that-does-nuclear-weapons-related-works-for-energy-department-hit-by-ransomware/", "https://www.rawstory.com/russia-cyberattack-sol-oriens/", "https://twitter.com/EamonJavers/status/1403094484779339783", "https://lensa.com/senior-nuclear-weapon-system-subject-matter-expert-jobs/albuquerque-nm/hjp/625db000af48ec9d44076c26639e92a4986d2d91a2b45d2887ac1e0851512029", "https://www.gao.gov/products/gao-20-409", "https://www.linkedin.com/company/sol-oriens-llc/about/", "https://www.motherjones.com/politics/2021/06/ransomware-attacks-are-hitting-small-business-and-some-of-them-are-military-subcontractors/", "https://www.thedrive.com/the-war-zone/35197/the-department-of-energy-may-be-the-best-place-to-keep-a-secret", "https://threatpost.com/jbs-paid-11m/166767/", "https://threatpost.com/revil-ransomware-ground-down-jbs-sources/166597/", "https://threatpost.com/revil-apple-ransomware-pay-off/165570/", "https://therecord.media/ransomware-gang-tries-to-extort-apple-hours-ahead-of-spring-loaded-event/", "https://threatpost.com/solarwinds-hack-seismic-shift/165758/", "https://www.computerweekly.com/news/252493790/FireEye-and-partners-release-SolarWinds-kill-switch", "https://news.sophos.com/en-us/2021/06/11/relentless-revil-revealed/", "https://media.threatpost.com/wp-content/uploads/sites/103/2021/06/11124458/Relentless.png", "https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART", "https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART"], "cvelist": [], "immutableFields": [], "lastseen": "2021-06-11T21:49:24", "viewCount": 167, "enchantments": {"dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:6F15718E57589D337E5E4456500B0050", "THREATPOST:A91E62BA185824A6DB183C61A1E7901F", "THREATPOST:85AABF1E3F5BADE263CAD9436B5C645F", "THREATPOST:BAA715C646DB7F3F67A537DD26E22190", "THREATPOST:339B1BE2D5A87BB8C70A88FD2772571C"]}], "modified": "2021-06-11T21:49:24", "rev": 2}, "score": {"value": -0.3, "vector": "NONE", "modified": "2021-06-11T21:49:24", "rev": 2}, "vulnersScore": -0.3}, "cvss2": {}, "cvss3": {}}