US Department of EnergyGraeme Sloan/Sipa USA/Sipa/AP
On June 3—sandwiched between snippets of data from a US technology testing firm and a Brazilian maritime logistics company—internal information from an Albuquerque-based small business was posted to the dark web blog of an established ransomware group. Though this would be unwelcome news for any business of any size, this one especially caught the attention of Brett Callow, a ransomware expert at cybersecurity firm Emsisoft.
That’s because the company, Sol Oriens, LLC, is a Department of Energy National Nuclear Security Administration subcontractor. Its employees work on sensitive matters related to nuclear weapons and energy.
The National Nuclear Security Administration is the government agency responsible for maintaining and securing the nation’s nuclear weapons stockpile. It works on nuclear applications for the US military, along with other highly sensitive missions.
The attack was the work of REvil, a ransomware group that’s been in the headlines in recent weeks. It was accused by the FBI of hacking JBS, the world’s largest meatpacker, just ahead of Memorial Day weekend. The gang’s blog is full of victim data. In some ways, Sol Oriens, LLC is just one name among many. There’s no indication yet that the company was targeted because of the work it does, rather than just being another potential pay day for hackers.
But the sensitive nature of its work, and the connections between its employees and some of the most tightly guarded organizations in the US, has people like Callow worried.
Sol Oriens, LLC, may not be a major contractor, but its employees have connections to key strategic national security entities, such as Sandia National Laboratories, and Los Alamos National Laboratory.
“Ransomware represents a significant risk to national security,” he says. “While the actors may simply be financially motivated, there is no way of knowing where the information they steal may end up.”
For now, the data posted seems benign. It shows what appears to be a portion of a company payroll form from September 2020, outing a handful of employees’ names, social security numbers, and quarterly pay. There’s also a company contracts ledger, and a portion of a memo outlining worker training plans. (The memo has Department of Energy and NNSA Defense Programs logos at the top.)
Someone authorized to speak for Sol Oriens, LLC, did not respond to requests for comment.
A spokesperson for the Department of Energy declined to comment, and a spokesperson for the FBI’s Albuquerque Field Office would neither confirm nor deny that the agency was investigating the matter.
The Department of Energy had previously acknowledged that portions of its computer network were breached as part of the SolarWinds hack, a historically significant attack the US government attributed to the Russian government that leveraged access to a third-party services vendor to gain access to multiple US federal government agencies and private companies.
Sol Oriens, LLC, “did not take all necessary action to protect personal data of their employees and software development for partner companies,” the gang of hackers wrote above two screenshots of purportedly stolen data. “We hereby keep a right (sic) to forward all of the relevant documentation and data to military agencies of our choise (sic), including all personal data of employees.”
The Albuquerque company’s website has been unreachable since at least June 3. According to an archived version, it’s a “small, veteran-owned consulting firm focused on managing advanced technologies and concepts with strong potential for military and space applications” that works with the “Department of Defense and Department of Energy Organizations, Aerospace Contractors, and Technology Firms (sic) carry out complex programs.”
High-profile ransomware attacks are becoming more common across every sector. They’ve even hit major cities. Relatively small-time attacks occur daily. Ransomware attacks are not new, and were “a minor annoyance” until relatively recently, Matthew Green, a computer security expert and professor at the Johns Hopkins Information Security Institute, wrote in a Washington Post op-ed Tuesday. “Yet over the past four years, the skates have changed,” he points out. In 2017, shipping giant Maersk lost $300 million in an attack. In 2019, a North Korean attack—using a stolen US National Security Agency tool—cost an estimated $4 billion. Also that year, a ransomware incident shut down a US Coast Guard facility for more than 30 hours and “included a disruption of the entire corporate IT network (beyond the footprint of the facility), disruption of camera and physical access control systems, and loss of critical process control monitoring systems.”
Nearly 2,400 US-based governments, healthcare facilities, and schools were the victims of ransomware in 2020, according to Emsisoft, which also reports that it takes an average of 287 days for businesses to fully recover from such attacks.
FBI Directory Chris Wray recently drew an analogy between the needed response and what happened after 9/11, envisioning tighter coordination between private industry and government, especially when it comes to critical infrastructure. Wray said the agency was investigating about 100 different strains of the ransomware, the term for malicious software used by attackers to lock computer hard drives or files then held ransom as attackers extort money with a promise to unlock the files upon payment. Attackers are increasingly turning the screws on victims by simultaneously stealing files, and posting samples online to up the pressure. When victims don’t pay, or talks break down, the groups post the entire pile of stolen material online.
Calls for a strong response from the Biden administration continue to grow, and the federal government is upping its response. On Monday, US Department of Justice Deputy Attorney General Lisa Monaco called the spate of recent attacks an “epidemic,” as she announced that the FBI had successfully recovered a large portion of the ransom paid by Colonial Pipeline to another ransomware group, Darkside. The company shut down a major fuel pipeline in the wake of the attack, leading to an outage that lasted several days and caused fuel shortages in several states. The company eventually paid the hackers nearly $5 million in Bitcoin, which the FBI then tracked and took back.
The recovery of Colonial Pipeline’s funds was the task force’s first major action, Monaco said.
In the midst of high-profile attacks and FBI operations to claw back cryptocurrencies against hacking gangs, the daily attacks and extortions of smaller companies continues apace. Sometimes those companies happen to be doing work at key points along complex and sensitive national security supply chains, Callow says.
In June 2020, Westech International, Inc., a military technology subcontractor, was hit with ransomware and had some of its data published online. Earlier that year, in March, Visser Precision, a space and aeronautics contractor was hit. In February 2020, an Ohio-based vendor producing power supply equipment had some of its data posted online.
“The information lost in these incidents could be passed to other governments by the cybercriminals out of patriotism or sold to them for profit,” he says. “Or perhaps those other governments could simply download it after it’s released online.”
The national security implications of seemingly minor federal contractors may not make as many headlines as a major fuel pipeline, or the company responsible for a quarter of the country’s beef. But that doesn’t mean the concerns aren’t there.
“In a series of countries around the world—Russia, Iran, North Korea is a little bit different, to some degree in China—what we’ve seen is that government has encouraged a growing hacker population that’s been able to, in an unchecked way, to be able to pursue their interest—in Russia, largely—in cyber crime,” Christopher Ahlberg, the founder of cybersecurity firm Recorded Future, told TechCrunch recently. “Then over time, you see intelligence agencies in Russia—FSB, SVR, and GRU—being able to poach people out of these groups or actually task them.”
