[BreachExchange] Space – REvil cybergang hits HX5, defense contractor with Army, Navy, Air Force, NASA customers

Sophia Kingsbury sophia.kingsbury at riskbasedsecurity.com
Fri Jul 9 10:43:17 EDT 2021


https://fintechzoom.com/fintech_news_space/space-revil-cybergang-hits-hx5-defense-contractor-with-army-navy-air-force-nasa-customers/

The REvil cybergang hit a defense contractor whose customers include the
U.S. military in a brash test of President Biden’s tough talk seeking to
deter cyberattackers bombarding America.

The Russia-linked REvil claimed it stole 23 gigabytes of data belonging to
HX5, a Florida-based defense contractor working on aerospace and weapon
launch technology that lists its clients as including the Army, Navy, Air
Force, NASA, and General Services Administration. It first published
screenshots of some of the allegedly stolen material on a website, “The
Happy Blog,” on Wednesday.

Targeting a company with U.S. military customers indicates that
cybercriminals have not changed their behavior because of threatened action
by the U.S. government and Mr. Biden, according to cybersecurity
professionals.

Brett Callow, a threat analyst at the software company Emsisoft, said that
ransomware groups have previously targeted defense contractors but REvil
was sending a warning as its attack unfolds.

“This is a bit like a kidnapper sending the pinky finger rather than the
head,” Mr. Callow said.

Cybersecurity professionals have linked REvil to Russia, although it
operates with a business model featuring affiliates who deploy attacks from
all across the world.

Mr. Biden has been under pressure to respond to the onslaught of ransomware
attacks on the U.S. after he drew a “red line” on cyberattacks at a June 16
summit with Russian President Vladimir Putin.

White House press secretary Jen Psaki said Thursday that the Biden
administration would continue to send a “clear message” to Russia about
cybercriminals working within its borders. But she refused to say what the
U.S. government would do to enforce its ultimatums.

“If the Russian government cannot or will not act against criminal actors
residing in Russia, we will act,” Ms. Psaki said. “In terms of what we will
do, I’m not in a position, of course, to discuss operations.”

A wave of ransomware attacks has hit U.S. businesses and organizations in
recent months, including schools, medical facilities, and companies such as
major U.S. fuel provider Colonial Pipeline.

REvil is the same group that previously disrupted major meat producer JBS
and that hit the software company Kaseya last weekend in a ransomware
attack that the company said affected under 1,500 businesses downstream
from its customers.

The gang has made its intentions known through posting allegedly stolen
information on HX5, which declined to comment on the cyberattack.

Money motivates ransomware attackers who hold data and systems hostage
until victims pay up to regain access. REvil has proven to be an innovative
cyberattacker that is interested in both burnishing its reputation and
pocketing loot, said Reuven Aronashvili, who previously served the Israel
Defense Forces and founded the cybersecurity company CYE.

He said REvil’s targeting a defense contractor demonstrates its capability
and helps cement its status as a top ransomware attacker.

“They managed to get credibility on their capabilities and no one is not
taking them seriously anymore,” Mr. Aronashvili said. “I think that’s part
of the process. Now whether that’s connected to a government behind it that
conceals the data, buys the data, and so on, that is something that, of
course, can be another business model.”

Details about what REvil allegedly took from HX5 and whether the attack
affects its U.S. government customers is unclear. The screenshots posted by
REvil display alleged personal information of HX5 employees, including a
social security number and the personal data included in a life insurance
policy for an HX5 executive.

The Army and Navy declined to comment on the cyberattack hitting HX5 and
each referred questions to U.S. Cyber Command, which did not respond to
requests for comment. The Air Force did not respond to requests for
comment. The General Services Administration said it was not a victim of
the REvil attack on Kaseya, but it did not answer questions about REvil
hitting HX5.

NASA said it did not have information about HX5 or the cyber incident but
that it continuously coordinates with the Cybersecurity and Infrastructure
Security Agency on emerging cyberthreats.

In a March interview with cybersecurity publication The Record, a REvil
representative claimed to have access to a ballistic missile launch system,
a U.S. Navy cruiser, a nuclear power plant, and a weapons factory. The
unidentified REvil representative professed to have the ability to start a
war but no intention of doing so because it wouldn’t be profitable.

Mr. Aronashvili cautioned against believing all of REvil’s assertions or
discounting them entirely.

“One thing that we can say about them is that they manage to have a lot of
credibility in the market and usually when they say that they have
something, that’s something that usually they can prove,” he said.
“However, when you talk about this kind of high-profile targets sometimes
people are bragging a little bit more than they have, so I believe that the
truth is somewhere in the middle there.”

• Jeff Mordock contributed to this report.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210709/8b68d48d/attachment.html>


More information about the BreachExchange mailing list