DoppelPaymer Ransomware Used to Steal Data from Supplier to SpaceX, Tesla

Cyber attack at Visser Precision, which builds custom parts for the aerospace and automotive industries, reveals sensitive company data.

A company that provides custom parts to aerospace giants Lockheed Martin, SpaceX and Boeing, has been the target of an attack by an emerging type of ransomware that can both encrypt files and exfiltrate data.

Colorado-based Visser Precision said it was targeted by a “cyber incident” that involved the attacker accessing and stealing company data after a security researcher found some of the company’s stolen files leaked online.

Visser makes what are called “precision” parts for several industries, including automotive and aeronautics, with some high-profile customers that typically require heavy security requirements due to the sensitive and competitive nature of their work

Brett Callow, a threat analyst at anti-malware security firm Emsisoft, discovered the documents—a series of nondisclosure agreements Visser has with companies including SpaceX, Tesla, Honeywell, General Dynamics and others–on a hacker website and began alerting news outlets, according to published reports in Forbes and TechCrunch.

Attackers also tweeted in an account using the name “DoppelPaymer” that more files were on the way, alerting researchers that attackers likely used the DoppelPaymer ransomware in the attack, according to reports.

DoppelPaymer is an emerging type of ransomware that not only locks companies out of their own computer systems by encrypting files—the hallmark of typical ransomware—but also can exfiltrate company data and use it as collateral.

I February report by BleepingComputer noted that DoppelPaymer had shifted its tactics to include not just stealing a victim’s data, but also threatening targets to publish or sell their data if the victim did not pay the ransom.

This new show of sophistication in ransomware makes the tough decision of whether to pay the hackers’ ransom even more difficult for companies, which typically are advised not to pay in such a scenario, said one security expert.

“The evolution of ransomware from simply keeping data unusable, to that plus threatening to release it, is insidious in its premise,” Mike Jordan, vice president of research, Shared Assessments, said in an email to Threatpost. “Deciding whether to pay a ransomware extortionist always involves a financial calculus where you determine whether paying is cheaper than recovering the data on your own.”

The new methods that malware like DoppelPaymer and Maze employ are raising the stakes for victims of ransomware and increases the potential for financial loss if sensitive or classified data is revealed by threat actors, he said.

“If data is regulated, such as personal information, fines get introduced,” Jordan said. “And when the victim is a third party supplier of other companies, the potential loss of revenue from customers that lose faith in their ability to manage cybersecurity threats is also a particularly expensive variable.”

Indeed, some of the companies that appear on the list of revealed documents, such as Lockheed Martin, Boeing, Honeywell and General Dynamics, also have defense contracts with the federal government–which means they also deal in highly classified information. The threat of the release of this type of data definitely raises the stakes for Visser when considering whether to pay attackers, experts noted.

Targeting customer contracts also was a clever tactic by the attackers, as it has the potential to cause long-term damage not only to Visser but the customers affected, Jordan observed.

“Revealing confidentiality agreements threatens the possibility of revealing the contracts behind those agreements,” he said. “Revealing pricing puts the victim at a disadvantage to its competitors now and in the future, as they are still bound to those agreements, whereas competitors could undercut them. Additionally, revealing contracts put victims at risk of breaking confidentiality agreements, allowing customers to lawfully break favorable agreements.”

Of the companies affected in the Visser attack, only officials at Lockheed Martin so far have  publicly acknowledged that they are aware of the situation, according to reports.

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.