The Department of Homeland Security is investigating whether sensitive information such as DHS floor plans and security controls were compromised in a ransomware attack on government contractor Johnson Controls.
Johnson Controls is a major manufacturer of alarm and building automation systems which “holds classified/sensitive contracts for DHS that depict the physical security of many DHS facilities,” CNN reports.
“Until further notice, we should assume that [the contractor] stores DHS floor plans and security information tied to contracts on their servers... We do not currently know the full extent of the impact on DHS systems or facilities."
Takeaway: Third-party risk considerations are nothing new to most larger organizations - with high profile breaches like the one that hist Target via their HVAC contractor having made headlines many years ago - but third-party risk is not discussed much in the context of ransomware.
The threat here in regard to ransomware basically comes down to two concerns: downstream attacks and the exfiltration of sensitive data.
In 2021, an attack on IT services provider Kaseya allowed threat actors to leverage the Kaseya VSA (Virtual System Administrator) to distribute ransomware to Kaseya customers.
This meant that even if the impacted customers had a robust security program in place, they likely would still have been infected because the ransomware came by way of a “legitimate” update signed with valid digital certificates.
The takeaway from the Kaseya attack for organizations is to assure they are employing the Principle of Least Privilege by limiting third-party service provider access to the absolute minimum, as well as doing the due diligence on the security stature of third-party service providers.
The second concern, potential exfiltration of your organization’s sensitive data from a contracted entity, is exactly what DHS is dealing with now.
Given this is a government agency that deals with classified and sensitive information, it would be safe to assume DHS has protocols in place already to assess the security stature of their contracted providers out of concern for potential state-sponsored espionage attacks, which should include anti data exfiltration controls.
But in this case, it appears to not have been a state-sponsored actor behind the attack, but a ransomware group or affiliate – threat actors who now regularly exfiltrate victim data prior to encryption to use a leverage to compel payment of a ransom demand by threatening to publicly leak or sell the data.
Detecting and blocking downstream attacks and conducting the proper due diligence against potential loss of sensitive data via compromised third-party service providers should be a high priority not just for government agencies but any organization concerned about the potential impact from data loss and disruptions to business operations from attacks by ransomware operators.
Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile (PDF).