According to breaking reports, Russian hackers have managed to steal highly-sensitive data from a sub-contractor of “Northrop Grumman,” called “Westech International.” The particular engineering company was working on the LGM-30G Minuteman III land-based intercontinental ballistic missile. This is a key nuclear deterrent system operated by the US Air Force, sporting thermonuclear warheads that can travel more than 6,000 miles. These missiles are deployed in hundreds of underground facilities across the United States, so we’re talking about a pivotal army system that the Russians would do anything to learn more about. And apparently, they did.
A Sky News report claims that Russian hackers managed to infect Westech International’s computer network with ransomware. The precious and classified documents were first exfiltrated and then encrypted locally. Next, the typical extortion game played out, while the New Mexico-based company was still investigating what had been lost. Email communication and payroll data were quickly confirmed as breached, while classified military information remained a question. Soon though, the actors started leaking data samples relating to the LGM-30G Minuteman III, so things became pretty clear.
According to documents unsealed in a US court, the actors worked in harmonious collaboration with the Russian Intelligence. It means that the targeting wasn’t random and that the files are not meant to be retrieved, deleted, or even shared with others. The stolen documents will almost certainly go straight to Russian specialists who know what to make of them. Westech International admitted that the files were very sensitive, and added that they concerned things that were “work in progress.” Thus, the particular data breach is introducing risks to the national security of the United States, and there’s no way to retract the damage done now. As for the leaking of the staff’s sensitive details, this move puts these people in unnecessary danger now.
From a technical perspective, the Russian actors used the MAZE ransomware, which is operated under an affiliate model. We recently saw the same strain being deployed against Banco BCR in a purely financially motivated attack. The most recent threat, though, is more about stealing the files rather than seeing any payments from the victim. That said, there are various types of actors who are using MAZE for different reasons, and while having qualitatively different goals. It is interesting to see “plain lock-down hackers” utilizing medium level arsenal to achieve results that we would only see in high-level cyber-espionage.