A U.S. military contractor involved in the maintenance of the country’s Minuteman III nuclear arsenal has been hit by the Maze ransomware, according to reports – with the hackers making off with reams of sensitive information.
The company, Westech International, has a range of contracts with the military for everything from ongoing evaluation for the ballistic missile defense system in Colorado, to a role as a sub-contractor for Northrup Grumman. In the latter capacity it provides engineering support, repair and maintenance for ground subsystems components involved in the Minuteman III intercontinental ballistic missile (ICBM) program.
The U.S. has about 440 of the ICBMs, which have been around since the 1970s and which are stored in U.S. Air Force facilities in Montana, North Dakota and Wyoming. They make up the country’s long-range land-to-air nuclear stockpile, and each can travel up to 6,000 miles with a payload of several thermonuclear warheads on board, according to the Center for Strategic and International Studies.
The cyberattackers first compromised the contractor’s internal network, the company confirmed to Sky News, before encrypting files and exfiltrating data. Maze has a quirk not found in most ransomwares: In addition to encrypting files and offering the decryption key in exchange for a ransom payment, it also automatically copies all affected files to the malicious operators’ servers.
The Maze operators thus often carry out “double extortion” attacks, in which they leak information on an underground forum unless victims pay up. In fact, researchers said in April that the Maze gang has created a dedicated web page, which lists the identities of their non-cooperative victims and regularly publishes samples of the stolen data. This so far includes details of dozens of companies, including law firms, medical service providers and insurance companies, that have not given in to their demands.
In the case of Westech International, the cybercriminals have begun to leak documents online, which include sensitive employee data such as payroll information and other personal details, along with company emails, which may or may not include classified military information, according to documents reviewed by Sky News.
“We recently experienced a ransomware incident, which affected some of our systems and encrypted some of our files,” Westech said in a media statement. “Upon learning of the issue, we immediately commenced an investigation and contained our systems. We have also been working closely with an independent computer forensic firm to analyze our systems for any compromise and to determine if any personal information is at risk.”
Threatpost has reached out to the company for further details and comment, including the timeline of the attack, initial attack vector, the remediation process and whether it paid the ransom.
“Ransomware attacks are carefully planned and meticulously executed, starting with research to identify target organizations and their employees through Linkedin, Facebook, Twitter and online news searches,” Colin Bastable, CEO of security awareness and training firm, Lucy Security, said via email. “Spoof emails are highly effective under normal circumstances but in these difficult circumstances they are even more dangerous. Ransomware attacks may be launched weeks and months before they are executed, and it is very difficult to ensure that the hackers have been eradicated. Just like the coronavirus, they can lie dormant and re-emerge.”
The operators behind the Maze ransomware have been busy of late, usually going after very high-profile fish. In April they hit IT services giant Cognizant, causing service disruptions; Cognizant, a Fortune 500 company, employs close to 300,000 people. The malware was also behind the December cyberattack on the City of Pensacola, Fla., which shut down the city’s computer networks and affected its systems. Other targets have included Allied Systems and Pitney Bowes.