REvil Hits US Nuclear Weapons Contractor: Report

“We hereby keep a right (sic) to forward all of the relevant documentation and data to military agencies of our choise (sic)” REvil reportedly wrote.

Sol Oriens, a subcontractor for the U.S. Department of Energy (DOE) that works on nuclear weapons with the National Nuclear Security Administration (NNSA), last month was hit by a cyberattack that experts say came from the relentless REvil ransomware-as-a-service (RaaS) gang.

The Albuquerque, N.M. company’s website has been unreachable since at least June 3, but Sol Oriens officials confirmed to Fox News and to CNBC that the firm became aware of the breach sometime last month.

The company’s statement, captured in a Tweet stream posted by CNBC’s Eamon Javers on Thursday:

“In May 2021, Sol Oriens became aware of a cybersecurity incident that impacted our network environment. The investigation is ongoing, but we recently determined that an unauthorized individual acquired certain documents from our systems. Those documents are currently under review, and we are working with a third-party technological forensic firm to determine the scope of potential data that may have been involved. We have no current indication that this incident involves client classified or critical security-related information. Once the investigation concludes, we are committed to notifying individuals and entities whose information is involved …”

As Javers noted, “we don’t know everything this small company does,” but he posted a sample job posting that indicates that it handles nuclear weapons issues: “Senior Nuclear Weapon System Subject Matter. Expert with more than 20 years of experience with nuclear weapons like the W80-4.” The W80 is a type of nuclear warhead carried on air-launched cruise missiles.

According to an archived version and its LinkedIn profile, Sol Oriens is a “small, veteran-owned consulting firm focused on managing advanced technologies and concepts with strong potential for military and space applications” that works with the “Department of Defense and Department of Energy Organizations, Aerospace Contractors, and Technology Firms (sic) carry out complex programs. … We focus on ensuring that there are well-developed technologies available to maintain a strong National Defense.”

What Was Stolen

Brett Callow, a threat analyst and ransomware expert at the security firm Emsisoft, told Mother Jones that he had spotted Sol Oriens’s internal information posted to the REvil’s dark web blog.

At least for now, the data seems benign enough: It reportedly shows what Mother Jones described as “a company payroll form from September 2020, outing a handful of employees’ names, social security numbers, and quarterly pay. There’s also a company contracts ledger, and a portion of a memo outlining worker training plans. (The memo has Department of Energy and NNSA Defense Programs logos at the top.)”

Whether REvil – or whichever gang proves to be responsible for the attack – got its hands on more sensitive, secret information about the country’s nuclear weapons remains to be seen. But the fact that it got anything at all is, of course, deeply concerning. As Mother Jones pointed out, the NNSA is responsible for maintaining and securing the nation’s nuclear weapons stockpile and works on nuclear applications for the military, along with other highly sensitive missions.

Given all that responsibility, shouldn’t subcontractors’ security profiles be tight enough to fend off REvil or other cyberattackers? REvil reportedly blamed the victim, wagging its finger at Sol Oriens by writing that the subcontractor “did not take all necessary action to protect personal data of their employees and software development for partner companies.” The gang of cyberattackers wrote that above two screenshots of purportedly stolen data, adding that …

We hereby keep a right (sic) to forward all of the relevant documentation and data to military agencies of our choise (sic), including all personal data of employees.

Threatpost has reached out for comments from the DOE. A spokesperson for the DOE declined to comment to Mother Jones. The news outlet also reached out to a spokesperson for the FBI’s Albuquerque Field Office, who refused to either confirm or deny that the agency was investigating the matter.

The ‘Relentless’ REvil

It wouldn’t be surprising if initial reports of REvil being responsible prove accurate. The RaaS group’s ambitions are apparently boundless. Earlier this week, an official of JBS Foods confirmed that the company paid the equivalent of $11 million in ransom after a cyberattack that forced the company to shut down some operations in the United States and Australia over the Memorial Day weekend.

REvil is known for both audacious attacks on the world’s biggest organizations and suitably astronomical ransoms. In April, it put the squeeze on Apple just hours before its splashy new product launch, demanding a whopping $50 million extortion fee: a bold move, even for the notorious ransomware-as-a-service (RaaS) gang. The original attack was launched against Quanta, a Global Fortune 500 manufacturer of electronics, which claims Apple among its customers. The Taiwanese-based company was contracted to assemble Apple products, including Apple Watch, Apple Macbook Air and Pro, and ThinkPad, from an Apple-provided set of design schematics.

FireEye researchers have also reported that the actors who’ve claimed to have access to the SolarWinds network have included one with links to the REvil/Sodinokibi ransomware gang, though that doesn’t necessarily make it true.

REvil’s reported chiding begs the question: Although it’s unclear what data the attackers managed to access, if we take the gang’s words at face value that it stole what it claims to have stolen, then what “necessary action” to protect employees’ purportedly compromised personal data and software development information could Sol Oriens have done to fend off this attack?

The answer, unfortunately, is probably as varied as the group’s relentlessness, persistence and whatever-it-takes tactics. On Friday, cybersecurity firm Sophos issued a report detailing how, as the firm puts it, “No two criminal groups deploy the [RaaS] … in exactly the same way.”

In one recent attack, for example, the targeted organization “logged a massive volume of failed inbound RDP login attempts targeting the server which eventually because a point of access for the attackers,” Sophos researchers wrote. “On a typical server, the log that stores failed attempts to login to services like RDP rolls over, overwriting the oldest data, over a period of from several days to weeks depending on how many failed attempts were made. In this attack, the volume of failed RDP login events caused the log files to completely overwrite themselves with new entries every five minutes. The data collected from that server showed approximately 35,000 failed login attempts over a five minute period, originating from 349 unique IP addresses around the world.”

Among the 35,000 brute-force login attempts made every five minutes, these were the most common usernames the attackers tried to use. Source: Sophos

The researchers noted that RDP “was implicated as one of the most common methods of breaching a network in cases we were called in to investigate, which is why shutting off the outside world’s access to RDP is one of the most effective defenses an IT admin can take.”

Unfortunately, defense isn’t as simple as shutting off RDP, given the variability of techniques used by the gang’s affiliates, they wrote. “RDP was not the only culprit: attackers also gained initial access through other internet-facing services they were able to brute-force or to launch an exploit against a known vulnerability that gave them some access. In one case, the attacker targeted a bug in a specific VPN server software to gain initial access, then exploited a bug on a five-year-old version of Apache Tomcat on the same server that let the attacker create a new admin account on the server.”

Andrew Brandt, a principal researcher for Sophos, told Threatpost on Friday that the part of an attack where a network gets broken into is handled by affiliates or customers of the REvil software developers. As such, “the attackers’ skills and motivations may be different from incident to incident,” he said in an email.

Those affiliates aren’t necessarily out to do something as drastic as to steal nuclear secrets. It’s often far more random than that, Brandt said. “In many cases, we suspect that the attackers are just looking for targets of opportunity, but because there’s a diversity of affiliates and they may have different levels of skill and ability to target specific industries or organizations, it’s entirely possible this organization was specifically targeted. We just don’t know,” he said.

In the end, the “all necessary action” that the REvil gang referred to would include all of the recommendations that Sophos put in the tail end of its REvil report, Brandt continued. “Companies and organizations of all sizes and in all industries need to take a hard look at their own infrastructure and take whatever actions are necessary to close off those ‘low hanging fruit’ problems that are nearly always at the root cause of these kinds of breaches,” he said. “Closing off public-facing services like RDP at the firewall; enabling multi-factor authentication at all internal and externally-facing services, like VPNs; ensuring that internet-facing devices and servers are fully up to date with patches or fixes for known bugs, even if that means some downtime.”

Brandt noted that Sophos gives this advice “again and again” because, time and time again, “These have been the methods that criminals use to break into organizations. The attackers will never stop trying to find ways around those weak spots in the organization’s security posture. Defenders need to get out their metaphorical dental picks and start scraping away the cruft that’s putting their organization at risk. The alternative is to become a victim.”

Consequences for Bold, Dangerous Cyberattacks?

David Bishop, CISO of global managed security services company Trustwave, opined that we need “more serious repercussions” for this type of attack. “We’re seeing advanced adversaries getting much bolder with who they are attacking, how they are blackmailing the targeted organization, and how they are monetizing their stolen goods,” he told Threatpost in an email on Friday.

“Most of these organized groups are financially motivated, but if these types of attackers shift their motivation from monetary to malicious, we should expect severe real-world outcomes.,” Bishop continued. “We’ve only seen the tip of the iceberg in terms of the real-world effects with the cyber-attacks on JBS and Colonial Pipeline. The public and private sectors need to closely coordinate on what we can accomplish in terms of hard legal or offensive action to combat these threats – otherwise, these adversaries will continue to attack at will.”

061121 17:43 UPDATE: Added input from Sophos’s Andrew Brandt.

Download our exclusive FREE Threatpost Insider eBook, 2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!

Suggested articles