Threat Watch

Maze Ransomware Operators Leak Files Stolen From Nuclear Missile Contractor Westech

Maze: Several files allegedly stolen from Westech appeared on the website used by the operators of the Maze ransomware to threaten and extort the companies that they, or their associates, have victimized. Westech is a US Department of Defense contractor that provides engineering for the Minuteman III intercontinental ballistic missile system, acting as a sub-contractor for Northrup Grumman. The Maze website claims that files were stolen on May 8, 2020, and provided links to a few of the files that were allegedly stolen, including some personal information and document files. The ransomware operators did not make any claims about whether or not they obtained any files related to sensitive engineering data about missile systems, but any classified information was likely kept on computer systems that were not connected to the Internet and should have been stored in a physically secure space, not networked with any computers that the Maze operators would have been able to access.

ANALYST NOTES

Any breach of a cleared defense contractor is a serious matter, especially if it could potentially affect the safety and security of nuclear weapons systems. The Department of Defense has been increasing auditing and compliance requirements for contractors, but simply complying with minimum required levels of security controls to pass an audit is not necessarily sufficient to protect against ever-evolving attack techniques. It is important to keep Internet-facing systems up to date with security patches, use multi-factor authentication and auditing for all remote access systems, and educate employees about the danger of opening attachments, downloading document files, or entering their passwords into phishing pages. Even with all the best security controls in place, one careless employee can open the door to allow attackers remote access to steal files and encrypt or destroy the original copies. The best strategy for defense in depth is for a Security Operations Center to monitor network and endpoint systems around the clock to detect abnormalities in user behavior that can indicate an attacker has breached a computer and then shut down the attacker’s access before they have a chance to steal all the files and cause damage.
For more information, please see:
https://news.sky.com/story/hackers-steal-secrets-from-us-nuclear-missile-contractor-11999442