REvil cybergang arrives at HX5, defense contractor with Army, Navy, Air Force and NASA clients

Cyber ​​gang REvil struck down a defense contractor whose clients include the US military in blatant proof of President Biden’s tough talk seeking to deter cyberattacks bombing the United States.

REvil, linked to Russia, claimed it stole 23 gigabytes of data belonging to HX5, a Florida-based defense contractor that works in aerospace and gun-launch technology that lists its clients as the Army, Navy, Air Force. , NASA and the General Services Administration. He first posted screenshots of some of the allegedly stolen material on a website, “The Happy Blog,” on Wednesday.

Targeting a company with US military clients indicates that cybercriminals have not changed their behavior due to threats of action from the US government and Mr. Biden, according to cybersecurity professionals.

Brett Callow, a threat analyst at software company Emsisoft, said ransomware groups have previously targeted defense contractors, but REvil was sending out a warning as its attack unfolded.

“This is a bit like a kidnapper sending the little finger instead of the head,” Callow said.

Cybersecurity professionals have linked REvil with Russia, although it operates a business model with affiliates implementing attacks from around the world.

Biden has been under pressure to respond to the spate of ransomware attacks in the United States after he drew a “red line” on cyberattacks at a June 16 summit with Russian President Vladimir Putin.

White House press secretary Jen Psaki said Thursday that the Biden administration would continue to send a “clear message” to Russia about cybercriminals working within its borders. But he declined to say what the US government would do to enforce his ultimatums.

“If the Russian government is unable or unwilling to act against criminal actors residing in Russia, we will act,” Ms Psaki said. “In terms of what we will do, I am not in a position, of course, to discuss the operations.”

A wave of ransomware attacks has hit US businesses and organizations in recent months, including schools, medical facilities, and businesses like the top US fuel supplier Colonial Pipeline.

REvil is the same group that previously disrupted top meat producer JBS and affected software company Kaseya last weekend in a ransomware attack that the company said affected fewer than 1,500 companies downstream of its customers. .

The gang has made their intentions known by posting allegedly stolen information on HX5, which declined to comment on the cyber attack.

The money motivates ransomware attackers who hold data and systems hostage until victims pay to regain access. REvil has proven to be an innovative cyber attacker who is interested in both polishing his reputation and pocketing the loot, said Reuven Aronashvili, who previously served in the Israel Defense Forces and founded the cybersecurity company CYE.

He said that REvil targeting a defense contractor demonstrates its capabilities and helps cement its status as one of the top ransomware attackers.

“They managed to gain credibility in their capabilities and no one takes them seriously anymore,” Aronashvili said. “I think it is part of the process. Now, whether it is connected to a government behind it that hides the data, buys the data, etc., that’s something that of course can be another business model. “

Details about what REvil allegedly took from HX5 and whether the attack affects its US government clients are unclear. Screenshots posted by REvil show alleged personal information of HX5 employees, including a social security number and personal data included in a life insurance policy for an HX5 executive.

The Army and Navy declined to comment on the cyberattack that hit the HX5 and each referred questions to the US Cyber ​​Command, which did not respond to requests for comment. The Air Force did not respond to requests for comment. The General Services Administration said it was not a victim of the REvil attack on Kaseya, but did not respond to questions about REvil hitting HX5.

NASA said it had no information on HX5 or the cyber incident, but is continually coordinating with the Cybersecurity and Infrastructure Security Agency on emerging cyber threats.

In a March interview with cybersecurity publication The Record, a REvil representative claimed to have access to a ballistic missile launch system, a United States Navy cruiser, a nuclear power plant and a weapons factory. The unidentified REvil representative claimed to have the ability to start a war, but did not intend to do so because it would not be profitable.

Mr. Aronashvili cautioned against believing all of REvil’s claims or dismissing them entirely.

“One thing we can say about them is that they get a lot of credibility in the market and usually when they say they have something, that’s something that they can usually show,” he said. “However, when it comes to these kinds of high-profile goals, sometimes people brag a little more than they have, so I think the truth is somewhere in the middle.”

• Jeff Mordock contributed to this report.

Sign up for daily newsletters

Add Comment