Criminals have published data from big name companies as they turn the extortion screw on cyber … [+]
On February 26th, I was contacted by a threat analyst working at Emsisoft, Brett Callow, who was concerned that SpaceX and Tesla might have been hacked. The basis for this concern being the publishing of non-disclosure agreement documents related to the companies by a cybercrime group, which also tweeted that there would be “big deals soon.”
That tweet came under an account in the name of DoppelPaymer, a known ransomware variant that has been active for some months now. Actually, the cybercriminals had targeted a precision parts manufacturer that supplies the automotive, aeronautics and aerospace industries. Visser Precision, LLC, is based in Denver, Colorado, and counts Lockheed Martin, SpaceX and Tesla among its customers.
“DoppelPaymer has been active since the middle of last year, but has only started publishing data in the last few days,” Brett Callow says, adding “the group claims to have sold data stolen in previous incidents on the dark web.”
In an emailed statement, Visser Precision, LLC said: “Visser Precision, LLC was the recent target of a criminal cybersecurity incident, including access to or theft of data. The company continues its comprehensive investigation of the attack, and business is operating normally. Visser Precision will continue full cooperation with its customer partner companies, but will make no further press comment at this time.”
The FBI has been very vocal of late in warning about the high-impact ransomware threat, part of a cybercrime-wave that cost in excess of $3.5 billion (£2.7 billion) in 2019.
DoppelPaymer uses the same tactics, and much of the same code, as other ransomware threats known as BitPaymer and Maze. What they all have in common is that they both exfiltrate and encrypt files, then publish files as leverage in their ransom payment negotiations. Javvad Malik, a security awareness advocate at KnowBe4, said that the DoppelPaymer ransomware tactics are becoming favored because “even if the organization has backups in place, or can resume operations, the threat of leaking or selling commercially sensitive data and intellectual property will remain.” Indeed, it puts pressure not only on the target organization but also those customers whose data is being published or sold. That seems to be what is happening here. Oliver Pinson-Roxburgh, a co-founder of cybersecurity specialists Bulletproof, said that BitPaymer is believed to be operated by a hacking group known as Indrik Spider, which may now have split. “Whoever has split from the group,” Pinson-Roxburgh said, “has gone onto build their own ransomware operation targeting big businesses.”
I have seen part of some of the SpaceX and Tesla documents that have been shared by the DoppelPaymer criminal actors, and have contacted both to request comment. Parts of documents relating to Lockheed Martin schematics were also made available by DoppelPaymer. A Lockheed Martin spokesperson told me: “We are aware of the situation with Visser Precision and are following our standard response process for potential cyber incidents related to our supply chain. Lockheed Martin has made and continues to make significant investments in cybersecurity, and uses industry-leading information security practices to protect sensitive information. This includes providing guidance to our suppliers, when appropriate, to assist them in enhancing their cybersecurity posture.”
I have contacted both SpaceX and Tesla for comment and will update this article if any statements are forthcoming.