Ransomware Scumbags Leak Boeing, Lockheed Martin, SpaceX Documents After Contractor Refuses To Pay (theregister.co.uk) 152
An anonymous reader quotes a report from The Register: Internal confidential documents belonging to some of the largest aerospace companies in the world have been stolen from an industrial contractor and leaked online. The data was pilfered and dumped on the internet by the criminals behind the DoppelPaymer Windows ransomware, in retaliation for an unpaid extortion demand. The sensitive documents include details of Lockheed-Martin-designed military equipment -- such as the specifications for an antenna in an anti-mortar defense system -- according to a Register source who alerted us to the blueprints. Other documents in the cache include billing and payment forms, supplier information, data analysis reports, and legal paperwork. There are also documents outlining SpaceX's manufacturing partner program.
The files were siphoned from Visser Precision by the DoppelPaymer crew, which infected the contractor's PCs and scrambled its files. When the company failed to pay the ransom by their March deadline, the gang -- which tends to demand hundreds of thousands to millions of dollars to restore encrypted files -- uploaded a selection of the documents to a website that remains online and publicly accessible. Visser is a manufacturing and design contractor in the U.S. whose clients are said to include aerospace, automotive, and industrial manufacturing outfits -- think Lockheed Martin, SpaceX, Tesla, Boeing, Honeywell, Blue Origin, Sikorsky, Joe Gibbs Racing, the University of Colorado, the Cardiff School of Engineering, and others. The leaked files relate to these customers, in particular Tesla, Lockheed Martin, Boeing, and SpaceX.
The files were siphoned from Visser Precision by the DoppelPaymer crew, which infected the contractor's PCs and scrambled its files. When the company failed to pay the ransom by their March deadline, the gang -- which tends to demand hundreds of thousands to millions of dollars to restore encrypted files -- uploaded a selection of the documents to a website that remains online and publicly accessible. Visser is a manufacturing and design contractor in the U.S. whose clients are said to include aerospace, automotive, and industrial manufacturing outfits -- think Lockheed Martin, SpaceX, Tesla, Boeing, Honeywell, Blue Origin, Sikorsky, Joe Gibbs Racing, the University of Colorado, the Cardiff School of Engineering, and others. The leaked files relate to these customers, in particular Tesla, Lockheed Martin, Boeing, and SpaceX.
IT manager scumbags refuse to lock down computers (Score:5, Insightful)
This is as much to do with bad security protocols as it is with the criminals doing bad things. This could've been any other state actor and they would have a persistent node into the Lockheed and Boeing networks.
The problem is that managers are refusing to provide proper equipment for these people and then want the government to investigate or bailout whenever something bad happens.
There is no reason for ransomware to happen anymore, it is purely bad security and bad actors on the corporate side to let this happen.
Re: (Score:2)
Re: (Score:2)
A girl gets drunk in a bar... Unfortunate, but not unpredictable, events unfold.
you just blamed the victim.
Re: (Score:3)
This is one of those problems you insure against, because there is no perfect prevention. You can only lock down so much before it gets in the way of people being able to do their jobs.
Re: (Score:2)
Jack stands get in the way of working under vehicles, literally. But you still mandate that your employees use them because otherwise they get squished sometimes.
You find a way to work around the problems, you don't just not use safety equipment.
Re: (Score:2)
Re: (Score:2)
We should be operating under the assumption that state actors have access to all this stuff and more. Since Snowden was able to exfiltrate so much data relatively easily it is reasonable to assume that even the most supposedly secure organizations and systems are in fact compromised by at the very least other states, if not criminals too.
Re: (Score:2)
Re: (Score:2)
This is just a sample of what they got, anything actually valuable is going to be on the market.
Re: (Score:2)
Re: (Score:2)
There are a few sides to this coin. One company that I'm familiar with, which actually never released a product, had evaluated their tech stack from the top down and from the bottom up.
Top down: Engineers want Solidworks. In our country, everyone learns on Solidworks and training is difficult when the company is not using Solidworks. Solidworks requires Windows.
Bottom up: Linux can be properly secured while enabling the level of file sharing necessary between engineers' computer, barring a directed attack a
Re:IT manager scumbags refuse to lock down compute (Score:5, Insightful)
If your bank manager keeps insisting that the vault doesn't need a lock on its door, he's as much to blame as the thieves who stole the contents of the vault.
Re:IT manager scumbags refuse to lock down compute (Score:4, Insightful)
Re:IT manager scumbags refuse to lock down compute (Score:5, Insightful)
he's as much to blame as the thieves who stole the contents of the vault.
False. The thieves are to blame. They're the ones who stole the contents of the safe. They are the only ones who did anything wrong.
Re: IT manager scumbags refuse to lock down comput (Score:2)
Oh, right. So if your valuables were some of what got stolen, you wouldnâ(TM)t be suing the. And to be compensated? Please.
Re: (Score:3)
- Gny. Sgt. Hartman: Private Pyle, if there is one thing in this world that I hate, it is an unlocked footlocker! You know that don't you?
- Pvt. Leonard 'Gomer Pyle' Lawrence: Sir, yes, sir.
- Gny. Sgt. Hartman: If it wasn't for dickheads like you, there wouldn't be any thievery in this world, would there?
Re: IT manager scumbags refuse to lock down comput (Score:2)
Re: (Score:2)
And if we're talking about bank vaults, which was my initial comparison, the goal is to stop thieves long enough that the police has enough time to arrive and arrest them.
Re: (Score:3)
If you leave your keys in your car while you pop into the gas station, your insurance company is going to laugh at your claim while denying it, and the police are going to treat you as an idiot while taking down your report.
Blame is not a single entity - blame is something that can be spread around as applicable. In this case, the data thieves bear the blame of stealing the data, while other persons may bear the blame of making it easy for that to happen.
Re: (Score:2)
Bit of trivia that I read years ago: 1/3 of cars that are stolen have the keys in them. Half of those were left running when they were stolen.
Re: (Score:2)
Morally yes, but in practice the insurance won't pay out due to negligence and the customers might sue the bank for not taking reasonable steps to protect their money.
These things are rarely black and white and blame often depends on the context.
Re:IT manager scumbags refuse to lock down compute (Score:5, Insightful)
No, that doesn't make any sense. Part of the bank manager's job is to secure the money. That's part of the reason that banks exist. That's part of the reason that I, as a bank customer, pay bank fees. It's similar to the reason I pay taxes to support a police force. A police officer who doesn't investigate crimes and try to catch criminals isn't doing his or her job, and is doing something wrong. They deserve blame. Likewise with the bank manager. Criminals *also* deserve blame. Both can deserve different blame at the same time.
If I have a disease, let's say cancer, and I go to a doctor and they offer to remove the tumor, and they get paid to do that, then they have some responsibility for doing a reasonably good job. If they do everything right and the cancer flares back up, that's not their fault. If they don't follow best practices and leave some of the tumor in there, or do something stupid and kill me, they are to blame for their mistakes. They can't just say the cancer did it, because they were paid to do something and they didn't do it right. It's called responsibility. This is common sense. It's only the pedants on slashdot that can't follow common sense.
Given the extensive knowledge in the IT industry about ransomware attacks, and the well known best practices about how to thwart them, any IT department who doesn't have nightly backups, and who hasn't at least put forward a plan to backup all data regularly to an air-gapped system, and made a good faith effort to convince management that it's a great idea, simply isn't doing their job. We were hit with ransomware a few years ago, and we didn't even have a full time IT staff, but we had nightly server backups and we were able to restore from backups and move on. We didn't restore files on PCs, because we don't back those up, but we had recognized that problem and we had policies in place that employees must store all important files on servers, so the loss was minimal.
I would argue that the main role of IT is to safeguard the company's data. That's a major component of why they're paid. To fail in that role is incompetence.
Comment removed (Score:4, Informative)
Re: (Score:3)
The FDIC insures money in a bank. They have requirements that the banks must meet. A secure vault is one [fdic.gov].
See, this plays well into my theory that in the future, the IT industry will require insurance just like the medical and automotive industries.
Re:IT manager scumbags refuse to lock down compute (Score:5, Interesting)
He certainly has some share of the blame, but half of the blame? No, I don't think so.
If I inadvertently leave my house unlocked and it gets ransacked, I hold liability only insofar as I left the door unlocked (it may very well could affect my ability to make an insurance claim), but I did not commit a criminal act. So no, neither I, in this case the contractor, share equal blame with the criminals.
Re: (Score:2)
I'm not saying the contractor is to blame, the company that didn't provide him with the proper technology is at least partially to blame. Yes there are criminals out there but also non-criminals (spies for other countries are generally not considered criminals within their own countries) and they have the duty to defend their employees and their company and their clients.
Ransomware is very simple to stop, most advanced antivirus and firewalls will find it and block exfiltration either before it starts or so
Re: (Score:2)
Ransomware is very simple to stop, most advanced antivirus and firewalls will find it and block exfiltration either before it starts or soon after it starts.
Really? Please tell us all where to find this universally effective security technology, because it seems you have solved one of the biggest problems in the industry and I'm sure everyone else working on it would like to know how.
Re: IT manager scumbags refuse to lock down comput (Score:2)
This. Itâ(TM)s pure ignorance and hubris to think you can create a system thatâ(TM)s both usable and not hackable.
Re: (Score:2)
Re: (Score:2)
A military response should never be completely off the table
So the Bulgarian crackers working in Istanbul who were hired by the Lithuanian mafiosi through a cutout in Budapest, running command and control on hacked servers in Dubai that run a botnet in Dublin data centers which dump the stolen data to storage in Sao Paulo, while the initial email originated from an SMTP relay in a corporate office in Toronto . . . who do you intend to bomb?
This ain't the Good Old Days when you could say with some confidence, "This attack came from IP address X.X.X.X which correspond
Re: (Score:2)
Ransomware is very simple to stop, most advanced antivirus and firewalls will find it and block exfiltration either before it starts or soon after it starts.
Really? Please tell us all where to find this universally effective security technology, because it seems you have solved one of the biggest problems in the industry and I'm sure everyone else working on it would like to know how.
No joke! I came close to needing a new keyboard after I read that. Someone is very clueless about the capabilities of security products.
Re: (Score:2)
This appears to be scenario (b), given the information has reportedly been leaked.
And yes, proper access controls and encryption measures are important. But sooner or later, if the information is useful, someone needs to use it, and that person needs access. Now you have an attack vector.
Re: (Score:2)
It appears, that the hacked company did not only lose their own secret designs, but also those of their clients. This correlates not with a case of you forgetting to lock your own house, but with you forgetting to lock your own house, while you know it holds very valuable things belonging to someone else:
The sensitive documents include details of Lockheed-Martin-designed military equipment – such as the specifications for an antenna in an anti-mortar defense system
I am quite sure, that those losers from Visser Precision were under contractual obligation to keep their house secure. There may be no criminal liability, but there will be lots of civil liability waiting f
Re: (Score:2)
Re:IT manager scumbags refuse to lock down compute (Score:5, Insightful)
He didn't say they were blameless. You're engaging in a particularly annoying modern mashup of the strawman, false dichotomy and ad hominem.
Criminals are always to blame for their crimes. Victims sometimes get that way by acting negligently. Visser Precision was certainly negligent with their clients' data, and will likely be getting sued for it, a lot.
Re: (Score:3)
I wonder if they were audited. Don't defence contracts require contractors to be regularly audited for security issues?
Even if the contract doesn't require it I wouldn't be surprised if they had audits anyway. They are a good way to protect yourself from lawsuits because you can point to the audit as evidence that you were doing what is generally accepted as adequate for storing that material.
Re: (Score:2)
The criminals do exist, but it was also wide open for non-criminals (foreign spies for example). What I was pointing at was that these companies always happen to get infected but never carry any blame, moreover, they'll probably get extra money from their clients (the government) in grants to 'improve processes around security'.
Re: (Score:2)
Your understanding of English and mine are clearly very, very different.
Re:IT manager scumbags refuse to lock down compute (Score:4, Interesting)
the criminals stealing the documents and demanding a ransom are completely blameless.
They likely did no harm. More likely they improved America's national security.
If a ransomware hacker could get to these documents, then the Chinese and Russians probably already have them. By highlighting the security flaws, those flaws will now be fixed, shutting out China and Russia from downloading new docs.
If the hackers can be identified, we should give them medals.
Re:IT manager scumbags refuse to lock down compute (Score:5, Informative)
Someday I'll pick-up your daughter after school. I'll take her for a nice city tour in my car for an hour before bringing her back home safely, in time for supper, unharmed.
I'll therefore have improved your daugther's security, and given you an invaluable lesson on how to better protect your family. After all, if I was able to get to her so easily, who knows what malintentionned character could have been able to do the same, right ?
I'm sure when you'll see me come out of my car with your daughter at my side, you'll be waiting to give me my medal.
Re: (Score:2)
I am confused by this analogy.
So I am the defense contractor, my daughter is the secret document, and you are the hacker? Is that correct?
So the lesson is that my daughter shouldn't go to school? Or that going to school is a dangerous necessity for a child and thus leaving documents unsecured is also a dangerous necessity for defense contractors?
Can you explain what your point is?
Re: (Score:2)
Re: (Score:2)
If you accept crap security, or leave your door unlocked, well your not guilty of a crime
Actually, storing classified documents on an unsecured server is a crime.
Re: (Score:2)
Actually, storing classified documents on an unsecured server is a crime.
That is unless you are a prominent member of the Democrat Party. Just ask Hilary Clinton about that.
Re: (Score:2)
In case you didn't know, she was advised to do so by her predecessors in office, Rice and Powell, who also did the same thing. The major difference was that they didn't locate the server in their bathroom.
Re: (Score:2)
Problem is "secured" can mean anything. Putting a password on Windows XP is "securing" it.
Re: (Score:2)
Well played. I wish I had mod points.
Re: (Score:2)
To mod up a think-of-the-children post? You *are* the problem with Slashdot.
Re: (Score:2)
Interesting. A "think of the children" post modded +5 Informative. Slashdot really has gone to the dogs.
Re: (Score:2)
I see you missed the point of the analogy. I'd try to explain it but I'm not having a battle of the wits with an unarmed person.
to all the "think of the children" repliers (Score:2)
Are you serious ? Are you trolling ? Are you telling me that you actually didn't get the point of the analogy ? Did you actually not realise that "daughter" could have been replaced by "wife/husband", "brother/sister", "mother/father", "obcenely rare collection car", etc, basically, anything that the OP considered as having value in his eyes ?
I would elaborate further but, frankly, I feel a little depressed now...
Re: (Score:2)
I suppose that's one way to identify yourself as a scumbag IT manager.
Re: (Score:2)
False dichotomy; it's not one or the other.
Both are scumbags, for different reasons. I will say that the ransomware scumbags are more honest in their intentions, however.
Re: IT manager scumbags refuse to lock down comput (Score:2)
Claiming thieves are honest because theyâ(TM)re upfront about robbing people is pretty lame âoelook how smart I amâ crap.
Re:IT manager scumbags refuse to lock down compute (Score:5, Insightful)
This whole thread is going to be people confused about the difference between "blame" and "responsibility" and arguing past each other.
"Blame" is a moral judgement. "Responsibility" is the duty to think carefully about the consequences of your choices. Someone who leaves the keys in his car and it gets stolen is irresponsible, but the theives are to blame. Someone who's hired to fix a broken organization is blameless for it's failings (at least at first), but is responsible for them.
There are times when a person has a moral duty to be responsible, such as a medical doctor, but mostly conflating the too is just victim-blaming.
Re: (Score:2)
it is purely bad security and bad actors on the corporate side to let this happen.
Right, because the criminals stealing the documents and demanding a ransom are completely blameless.
Nope. But it is a crime of opportunity. When you protect secrets that are worth something, maybe do not give them that opportunity? Maybe protect these secrets adequately, even if that means "management" bonuses have to be 0.5% lower as protection IT infrastructure costs money? Also, maybe consider that is these are state secrets, protecting them inadequately should most definitely get those responsible sent to prison? And I do not mean the lowly sysadmin here, a CEO would be a good start and the board-memb
Re: (Score:2)
Well, the criminals are not blameless but if some of the criminals are employees of those companies, well, they are death industries and they attract a certain type, hey take the job expect to be tarred with that brush, not good enough for a real job in tech, go war industries. The of course if it is employees even executives getting involved, looking to pick up extra cash, then it is all the failing of those corporations security systems and they should be penalised. They are paid to be secure with the dat
Quit being nice (Score:2)
Re: (Score:2)
Sob, Sob... (Score:2, Insightful)
Wait... why should we be crying for either side here?
One one side we have plain run of the mill criminals that hack into machines for personal gain.
On the other we have plain run of the mill criminal that hack into politicians for personal gain.
Just because one side used a computer to gain an unfair advantage while the other side used a coffer really makes no difference to me. Bitches picking on bitches is the total summary of this story.
Don't even get me started about "security" in IT. It's shit, has bee
Re: (Score:2)
Oh and by the way, need I point out that those are just the classified documents that we know about? Assuming for a moment that these 'ransomware' assholes are actually state-sponsored by a country hostile to the U.S., who knows what other classified documents they now h
Re: (Score:2)
"Never mind that military secrets have just been put on the public Internet for every enemy of the United States to grab."
Just been put? You mean been put "again" on the public internet for every enemy of the US to grab?
If the USA did not put them on the internet the first time these guys would not have likely been able to put more copies on the internet.
Sure, folks need to go to jail.... but not just the hackers... how about the jokers telling people how to secure their systems? Put them in jail for a ch
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Live by the sword ... (Score:4, Interesting)
Setting aside the issue as to whether the contractor is to blame, this really is infuriating.
I have to wonder how long it will be -- assuming it already hasn't happened -- before they irritate someone who is willing to commit sufficient capital to execute extra-judicial revenge. I am sure the bad guys are pretty well versed at keeping themselves hidden but there is no perfect system that can't be cracked by a sufficiently motivated, funded, and expert adversary.
A few cases of heads on pikes outside that little township in Russia that nobody ever heard of before now and I bet the ransomware activity would drop precipitously.
Re: (Score:2)
I expect that will not happen. Because if you do that, you will also have to look at how these people got hold of the material they stole in the first place. There is really no explanation besides incompetence, greed and stupidity. And then heads that are already known will need to roll.
Re: (Score:2)
>is willing to commit sufficient capital to execute extra-judicial revenge.
In this case, maybe not so much capital, as CIA . . .
When you publish military secrets, you move off of the "criminal" list and on to a list that gets a *much* different type of attention . . .
hawk
Promotion (Score:4)
This ransomware team just got a promotion from a few part-time FBI agents to the Air Force's cyber unit, along with, probably the NSA and the rest of the Five Eyes. Probably not the best move.
Good job on their 800-171 compliance (Score:2)
So all these have exceptionally bad IT security? (Score:4, Insightful)
Because, you know, "scumbags" do not get in if you things right. Seems to me all these secrets were not worth a lot because they were protected cheaply or not at all.
Re: (Score:2)
There are a few people in this discussion who keep making claims like that. Where have you found perfect IT security technology and the human beings who never make mistakes to administer it? Asking for a friend.
Re: (Score:2)
Well, fist you should fix your understanding of what security actually tries to achieve. Anybody asking for "perfect" is automatically marking themselves as not competent. To keep people like these attackers out, reasonable regular security is usually quite enough. As these were military secrets, elevated security would be required. You know, like basically any bank nicely manages because they have no choice due to regulation.
Hence, very simply for you: These people screwed up because they did not implement
Re: (Score:3)
I don't know what you think "reasonably regular" security looks like, but I've had first-hand visibility of the kinds of IT security strategies used in a lot of organisations that you'd think would use more than just "regular" levels of protection. The ones where data exfiltration would only be realistic with a willing accomplice on the inside were the exception rather than the rule. Even organisations dealing with classified material or with regulatory compliance obligations have finite budgets and staff,
Supplier Leak, not Prime (Score:2)
wow.. they just ended themselves (Score:2)
Re: (Score:2)
What is to prevent them from getting state level support post factum? If they reside in Russia, China or other such state they would be somewhat protected by default (default policy for criminal help from US is "get lost"). Now that they have proven they can get some interesting data they can easily extend this to active protection.
Re: Why Scumbags? (Score:5, Informative)
Re: Why Scumbags? (Score:4, Insightful)
If they instead highlighted the security shortcomings and either offered to be part of the solution, then they might be praised for being white hat hackers.
That doesn't work. They would be villainized and prosecuted. The security flaws would be ignored.
But no, unreasonably large payout demands and deliberate harm to both the business and their partners.
If that's what it takes to get their attention, then so be it.
Re: (Score:2)
So you genuinely think *extortion* is warranted here?
Nothing else seems to be working.
Not just publication and exposure of the breach, highlighting the security flaws so they don't get covered up and ignored
We tried that. The flaws get covered up and ignored, while the whistleblowers are punished.
Instead of seeing this as "extortion", you should look at this as pen-testing being outsourced to the free market.
Re: (Score:2)
Who knows how many other classified documents they have in their posession, and whether right now they're looking to sell them to enemies of the United States, assuming they're not state-sponsored in the first place?
Re: (Score:2)
Re: (Score:2)
Regardless, the sensationalist editorializing in the headline is unwarranted and unprofessional. No matter if you, I, or even the entire readership agrees that they are scumbags, for Slashdot to make that judgement and wear it on their sleeve is an epic journalism fail.
But then, BeauHD has never been anything BUT a ridiculous hack, has he?
Re:Why Scumbags? (Score:5, Insightful)
Because blackmailers ARE scumbags. Extortion is a fucking FELONY, dude!
Re: (Score:2)
Why not call them criminals then, or even better, not mention them at all.
Have you ever seen a serious newspaper title "Scumbag shot ten people during a bank robbery", "Asshole set fire to a library" or "Douchebag teacher raped several students". Not only the expletives are totally unnecessary, but they miss a very important rule when reporting crimes: focus on the victim, not the criminal.
Is it that hard to say something like "Boeing, Lockheed Martin, SpaceX Documents Leaked After Contractor Refuses To Pay
Re: (Score:2)
And how are they going to build jails if we don't pay our taxes? /sarcasm
Re: (Score:2)
That's what happened in Greece and Italy. Nobody paid taxes or at least embezzled a ton of their income, the government went effectively bankrupt.
Re:Why Scumbags? (Score:4, Funny)
Re: (Score:2)
So asshat when when someone smacks you over the head with a lead a pipe and takes your wallet, are they a criminal .. or just doing business. Or if someone breaks into your house and takes your belongings ... it is a business transaction ???? because you were too stupid or weak to stop them ??
In your case I think you probably get smacked over the head with lead pipes alot.. not because they want to take your stuff.. your just one of those people that deserve to be beaten on a regular basis.
Re: (Score:2)
Re: (Score:2)
It's hard to believe that some antenna design is cause for national security. It's possibly worked off a public paper on the subject or an improvement on something commercial.
Re: (Score:2)
Re: (Score:2)
To my mind, all that pales in comparison to the possible national security implications of this.
Which will be, what? The only serious national security implication here is that the companies named are too stupid, incompetent and greedy and generally unfit to keep secrets when they get stored on computers. Maybe do not give any to them? Oh, right, you do not have a choice as they are major military contractors. Seems to me the problem is quite some place else here.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I have no IP cameras or microphones, nor GPS monitors or any other surveilance equiptment with internet access. I don't even have a wife. So there, are you happy now?
Re: (Score:2)