Sol Oriens, a subcontractor for the U.S. Department of Energy (DOE) that works on nuclear weapons with the National Nuclear Security Administration (NNSA), last month was hit by a cyberattack that experts say came from the relentless REvil ransomware-as-a-service (RaaS) gang.
The Albuquerque, N.M. companyâs website has been unreachable since at least June 3, but Sol Oriens officials confirmed to Fox News and to CNBC that the firm became aware of the breach sometime last month.
The companyâs statement, captured in a Tweet stream posted by CNBCâs Eamon Javers on Thursday:
> âIn May 2021, Sol Oriens became aware of a cybersecurity incident that impacted our network environment. The investigation is ongoing, but we recently determined that an unauthorized individual acquired certain documents from our systems. Those documents are currently under review, and we are working with a third-party technological forensic firm to determine the scope of potential data that may have been involved. We have no current indication that this incident involves client classified or critical security-related information. Once the investigation concludes, we are committed to notifying individuals and entities whose information is involved âŠâ
As Javers noted, âwe donât know everything this small company does,â but he posted a sample job posting that indicates that it handles nuclear weapons issues: âSenior Nuclear Weapon System Subject Matter. Expert with more than 20 years of experience with nuclear weapons like the W80-4.â The W80 is a type of nuclear warhead carried on air-launched cruise missiles.
According to an archived version and its LinkedIn profile, Sol Oriens is a âsmall, veteran-owned consulting firm focused on managing advanced technologies and concepts with strong potential for military and space applicationsâ that works with the âDepartment of Defense and Department of Energy Organizations, Aerospace Contractors, and Technology Firms (sic) carry out complex programs. ⊠We focus on ensuring that there are well-developed technologies available to maintain a strong National Defense.â
Brett Callow, a threat analyst and ransomware expert at the security firm Emsisoft, told Mother Jones that he had spotted Sol Oriensâs internal information posted to the REvilâs dark web blog.
At least for now, the data seems benign enough: It reportedly shows what Mother Jones described as âa company payroll form from September 2020, outing a handful of employeesâ names, social security numbers, and quarterly pay. Thereâs also a company contracts ledger, and a portion of a memo outlining worker training plans. (The memo has Department of Energy and NNSA Defense Programs logos at the top.)â
Whether REvil â or whichever gang proves to be responsible for the attack â got its hands on more sensitive, secret information about the countryâs nuclear weapons remains to be seen. But the fact that it got anything at all is, of course, deeply concerning. As Mother Jones pointed out, the NNSA is responsible for maintaining and securing the nationâs nuclear weapons stockpile and works on nuclear applications for the military, along with other highly sensitive missions.
Given all that responsibility, shouldnât subcontractorsâ security profiles be tight enough to fend off REvil or other cyberattackers? REvil reportedly blamed the victim, wagging its finger at Sol Oriens by writing that the subcontractor âdid not take all necessary action to protect personal data of their employees and software development for partner companies.â The gang of cyberattackers wrote that above two screenshots of purportedly stolen data, adding that âŠ
> We hereby keep a right (sic) to forward all of the relevant documentation and data to military agencies of our choise (sic), including all personal data of employees.
Threatpost has reached out for comments from the DOE. A spokesperson for the DOE declined to comment to Mother Jones. The news outlet also reached out to a spokesperson for the FBIâs Albuquerque Field Office, who refused to either confirm or deny that the agency was investigating the matter.
It wouldnât be surprising if initial reports of REvil being responsible prove accurate. The RaaS groupâs ambitions are apparently boundless. Earlier this week, an official of JBS Foods confirmed that the company paid the equivalent of $11 million in ransom after a cyberattack that forced the company to shut down some operations in the United States and Australia over the Memorial Day weekend.
REvil is known for both audacious attacks on the worldâs biggest organizations and suitably astronomical ransoms. In April, it put the squeeze on Apple just hours before its splashy new product launch, demanding a whopping $50 million extortion fee: a bold move, even for the notorious ransomware-as-a-service (RaaS) gang. The original attack was launched against Quanta, a Global Fortune 500 manufacturer of electronics, which claims Apple among its customers. The Taiwanese-based company was contracted to assemble Apple products, including Apple Watch, Apple Macbook Air and Pro, and ThinkPad, from an Apple-provided set of design schematics.
FireEye researchers have also reported that the actors whoâve claimed to have access to the SolarWinds network have included one with links to the REvil/Sodinokibi ransomware gang, though that doesnât necessarily make it true.
REvilâs reported chiding begs the question: Although itâs unclear what data the attackers managed to access, if we take the gangâs words at face value that it stole what it claims to have stolen, then what ânecessary actionâ to protect employeesâ purportedly compromised personal data and software development information could Sol Oriens have done to fend off this attack?
The answer, unfortunately, is probably as varied as the groupâs relentlessness, persistence and whatever-it-takes tactics. On Friday, cybersecurity firm Sophos issued a report detailing how, as the firm puts it, âNo two criminal groups deploy the [RaaS] ⊠in exactly the same way.â
In one recent attack, for example, the targeted organization âlogged a massive volume of failed inbound RDP login attempts targeting the server which eventually because a point of access for the attackers,â Sophos researchers wrote. âOn a typical server, the log that stores failed attempts to login to services like RDP rolls over, overwriting the oldest data, over a period of from several days to weeks depending on how many failed attempts were made. In this attack, the volume of failed RDP login events caused the log files to completely overwrite themselves with new entries every five minutes. The data collected from that server showed approximately 35,000 failed login attempts over a five minute period, originating from 349 unique IP addresses around the world.â
Among the 35,000 brute-force login attempts made every five minutes, these were the most common usernames the attackers tried to use. Source: Sophos
The researchers noted that RDP âwas implicated as one of the most common methods of breaching a network in cases we were called in to investigate, which is why shutting off the outside worldâs access to RDP is one of the most effective defenses an IT admin can take.â
Unfortunately, defense isnât as simple as shutting off RDP, given the variability of techniques used by the gangâs affiliates, they wrote. âRDP was not the only culprit: attackers also gained initial access through other internet-facing services they were able to brute-force or to launch an exploit against a known vulnerability that gave them some access. In one case, the attacker targeted a bug in a specific VPN server software to gain initial access, then exploited a bug on a five-year-old version of Apache Tomcat on the same server that let the attacker create a new admin account on the server.â
Andrew Brandt, a principal researcher for Sophos, told Threatpost on Friday that the part of an attack where a network gets broken into is handled by affiliates or customers of the REvil software developers. As such, âthe attackersâ skills and motivations may be different from incident to incident,â he said in an email.
Those affiliates arenât necessarily out to do something as drastic as to steal nuclear secrets. Itâs often far more random than that, Brandt said. âIn many cases, we suspect that the attackers are just looking for targets of opportunity, but because thereâs a diversity of affiliates and they may have different levels of skill and ability to target specific industries or organizations, itâs entirely possible this organization was specifically targeted. We just donât know,â he said.
In the end, the âall necessary actionâ that the REvil gang referred to would include all of the recommendations that Sophos put in the tail end of its REvil report, Brandt continued. âCompanies and organizations of all sizes and in all industries need to take a hard look at their own infrastructure and take whatever actions are necessary to close off those âlow hanging fruitâ problems that are nearly always at the root cause of these kinds of breaches,â he said. âClosing off public-facing services like RDP at the firewall; enabling multi-factor authentication at all internal and externally-facing services, like VPNs; ensuring that internet-facing devices and servers are fully up to date with patches or fixes for known bugs, even if that means some downtime.â
Brandt noted that Sophos gives this advice âagain and againâ because, time and time again, âThese have been the methods that criminals use to break into organizations. The attackers will never stop trying to find ways around those weak spots in the organizationâs security posture. Defenders need to get out their metaphorical dental picks and start scraping away the cruft thatâs putting their organization at risk. The alternative is to become a victim.â
David Bishop, CISO of global managed security services company Trustwave, opined that we need âmore serious repercussionsâ for this type of attack. âWeâre seeing advanced adversaries getting much bolder with who they are attacking, how they are blackmailing the targeted organization, and how they are monetizing their stolen goods,â he told Threatpost in an email on Friday.
âMost of these organized groups are financially motivated, but if these types of attackers shift their motivation from monetary to malicious, we should expect severe real-world outcomes.,â Bishop continued. âWeâve only seen the tip of the iceberg in terms of the real-world effects with the cyber-attacks on JBS and Colonial Pipeline. The public and private sectors need to closely coordinate on what we can accomplish in terms of hard legal or offensive action to combat these threats â otherwise, these adversaries will continue to attack at will.â
061121 17:43 UPDATE: Added input from Sophosâs Andrew Brandt.
Download our exclusive FREE Threatpost Insider eBook,****â2021: The Evolution of Ransomware,â**** to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover whatâs next for ransomware and the related emerging risks. Get the whole story andDOWNLOAD** the eBook now â on us!**
foxwilmington.com/headlines/contractor-that-does-nuclear-weapons-related-works-for-energy-department-hit-by-ransomware/
lensa.com/senior-nuclear-weapon-system-subject-matter-expert-jobs/albuquerque-nm/hjp/625db000af48ec9d44076c26639e92a4986d2d91a2b45d2887ac1e0851512029
media.threatpost.com/wp-content/uploads/sites/103/2021/06/11124458/Relentless.png
news.sophos.com/en-us/2021/06/11/relentless-revil-revealed/
therecord.media/ransomware-gang-tries-to-extort-apple-hours-ahead-of-spring-loaded-event/
threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART
threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART
threatpost.com/jbs-paid-11m/166767/
threatpost.com/revil-apple-ransomware-pay-off/165570/
threatpost.com/revil-ransomware-ground-down-jbs-sources/166597/
threatpost.com/revil-spill-details-us-attacks/166669/
threatpost.com/solarwinds-hack-seismic-shift/165758/
twitter.com/EamonJavers/status/1403094484779339783
www.computerweekly.com/news/252493790/FireEye-and-partners-release-SolarWinds-kill-switch
www.energy.gov/nnsa/national-nuclear-security-administration
www.gao.gov/products/gao-20-409
www.linkedin.com/company/sol-oriens-llc/about/
www.motherjones.com/politics/2021/06/ransomware-attacks-are-hitting-small-business-and-some-of-them-are-military-subcontractors/
www.rawstory.com/russia-cyberattack-sol-oriens/
www.thedrive.com/the-war-zone/35197/the-department-of-energy-may-be-the-best-place-to-keep-a-secret