Ransomware Proxy Attacks Threaten Our National Security


February 1, 2024

World map

The Department of Defense is investigating claims by a ransomware operator that the group exfiltrated sensitive U.S. military data.

BlackCat/ALPHV announced they had stolen upwards of 300 gigabytes of data from defense IT contractor Technica related to the Defense Counterintelligence and Security Agency.

“The Defense Counterintelligence and Security Agency is aware of the allegations of this incident and is coordinating with the appropriate law enforcement and security officials to address concerns,” CyberScoop reported a spokesperson as stating.

“We will not comment on any cleared facility’s security posture or any specific security incidents.”

The news follows reports that threat actors claimed to have exfiltrated 27 TB of confidential data from Johnson Controls International, which manufactures industrial control systems and physical security equipment.

The attack prompted the Department of Homeland Security to launch an investigation into whether sensitive information such as DHS floor plans and security controls were compromised.

Takeaway: The increasingly obvious overlap between cybercriminal activity and nation-state-operations conveniently allows for plausible deniability by the offending nations.

But adversarial nations who tacitly or directly support ransomware and data extortion attacks are at great risk of triggering an international incident that could elicit a military response from the US or their allies.

The strategy of leveraging ransomware gangs and other “seemingly independent” actors as a proxy and maintain plausible deniability to thwart any direct attribution could come back to haunt them if they don’t practice good OpSec.

But attribution is a significant challenge in these cases - from simple things like reusing code from another attack group, to adding annotations to code in another language, to more technically complex techniques like abusing legitimate network tools – avoiding attribution have long been a major element of attacker tradecraft.  

Attackers employ a range of tactics to avoid detection and attribution, including:  

  • Use of Tor and VPNs: Attackers often route their communication through the Tor network or virtual private networks (VPNs) to obfuscate their IP addresses and locations, making it difficult to trace them.  
  • Compromise of Third-Party Infrastructure: Attackers can compromise systems of one victim and use them to attack another, making attribution more difficult.  
  • Anonymous Payment Methods: Ransom payments are typically demanded in cryptocurrencies such as Bitcoin, Monero, or Ethereum, which offer a degree of anonymity. This makes it challenging to track the flow of funds and identify the attackers.
  • Encryption: Ransomware payloads are usually heavily encrypted to evade detection by antivirus and security software. Advanced encryption algorithms make it difficult to analyze the malware's code.  
  • Polymorphic Malware: Ransomware authors frequently use polymorphic techniques, which alter the malware's code and behavior with each infection. This makes it harder for signature-based detection methods to identify the malware.  
  • Living-off-the-Land (LotL) Techniques: Once inside a network, attackers move laterally to compromise multiple systems, often using legitimate administrative tools and credentials. This mimics normal network behavior, making it harder to detect their presence.  
  • Supply Chain Attacks: Targeting third-party vendors or software providers can enable attackers to compromise a target indirectly, further distancing themselves from attribution.  
  • Fileless Malware: Some ransomware strains operate without dropping executable files on disk, residing only in memory. This can evade traditional file-based security measures.  
  • Counter-Forensics: Skilled attackers may attempt to tamper with or delete log files, making it difficult for incident responders to reconstruct the attack timeline and identify the initial entry point.  
  • Red Herrings: Attackers may intentionally leave misleading clues like code reuse or annotation in code in a language other than the attackers to direct attribution to another group or nation-state, diverting investigative efforts.

Ultimately, it's rogue governments that are providing safe harbor for criminal elements conducting ransomware attacks with impunity and are obviously influencing some of their targeting.

It's only a matter of time before we see a massively disruptive attack against a critical infrastructure or the exfiltration of sensitive data that threatens our national security.

When that happens, we will see the whole conversation around ransomware attacks and our collective response change significantly from one of law enforcement actions to one of a proportional military response.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.