Ransomware Proxy Attacks Threaten Our National Security

The Department of Defense is investigating claims by a ransomware operator that the group exfiltrated sensitive U.S. military data.

‍

BlackCat/ALPHV announced they had stolen upwards of 300 gigabytes of data from defense IT contractor Technica related to the Defense Counterintelligence and Security Agency.

‍

“The Defense Counterintelligence and Security Agency is aware of the allegations of this incident and is coordinating with the appropriate law enforcement and security officials to address concerns,” CyberScoop reported a spokesperson as stating.

‍

“We will not comment on any cleared facility’s security posture or any specific security incidents.”

‍

The news follows reports that threat actors claimed to have exfiltrated 27 TB of confidential data from Johnson Controls International, which manufactures industrial control systems and physical security equipment.

‍

The attack prompted the Department of Homeland Security to launch an investigation into whether sensitive information such as DHS floor plans and security controls were compromised.

‍

Takeaway: The increasingly obvious overlap between cybercriminal activity and nation-state-operations conveniently allows for plausible deniability by the offending nations.

‍

But adversarial nations who tacitly or directly support ransomware and data extortion attacks are at great risk of triggering an international incident that could elicit a military response from the US or their allies.

‍

The strategy of leveraging ransomware gangs and other “seemingly independent” actors as a proxy and maintain plausible deniability to thwart any direct attribution could come back to haunt them if they don’t practice good OpSec.

‍

But attribution is a significant challenge in these cases - from simple things like reusing code from another attack group, to adding annotations to code in another language, to more technically complex techniques like abusing legitimate network tools – avoiding attribution have long been a major element of attacker tradecraft.  

‍

Attackers employ a range of tactics to avoid detection and attribution, including:  

• Use of Tor and VPNs: Attackers often route their communication through the Tor network or virtual private networks (VPNs) to obfuscate their IP addresses and locations, making it difficult to trace them.  
• Compromise of Third-Party Infrastructure: Attackers can compromise systems of one victim and use them to attack another, making attribution more difficult.  
• Anonymous Payment Methods: Ransom payments are typically demanded in cryptocurrencies such as Bitcoin, Monero, or Ethereum, which offer a degree of anonymity. This makes it challenging to track the flow of funds and identify the attackers.
• Encryption: Ransomware payloads are usually heavily encrypted to evade detection by antivirus and security software. Advanced encryption algorithms make it difficult to analyze the malware's code.  
• Polymorphic Malware: Ransomware authors frequently use polymorphic techniques, which alter the malware's code and behavior with each infection. This makes it harder for signature-based detection methods to identify the malware.  
• Living-off-the-Land (LotL) Techniques: Once inside a network, attackers move laterally to compromise multiple systems, often using legitimate administrative tools and credentials. This mimics normal network behavior, making it harder to detect their presence.  
• Supply Chain Attacks: Targeting third-party vendors or software providers can enable attackers to compromise a target indirectly, further distancing themselves from attribution.  
• Fileless Malware: Some ransomware strains operate without dropping executable files on disk, residing only in memory. This can evade traditional file-based security measures.  
• Counter-Forensics: Skilled attackers may attempt to tamper with or delete log files, making it difficult for incident responders to reconstruct the attack timeline and identify the initial entry point.  
• Red Herrings: Attackers may intentionally leave misleading clues like code reuse or annotation in code in a language other than the attackers to direct attribution to another group or nation-state, diverting investigative efforts.

Ultimately, it's rogue governments that are providing safe harbor for criminal elements conducting ransomware attacks with impunity and are obviously influencing some of their targeting.

‍

It's only a matter of time before we see a massively disruptive attack against a critical infrastructure or the exfiltration of sensitive data that threatens our national security.

‍

When that happens, we will see the whole conversation around ransomware attacks and our collective response change significantly from one of law enforcement actions to one of a proportional military response.

‍

‍

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.