back to article Ransomware scumbags leak Boeing, Lockheed Martin, SpaceX documents after contractor refuses to pay

Internal confidential documents belonging to some of the largest aerospace companies in the world have been stolen from an industrial contractor and leaked online. The data was pilfered and dumped on the internet by the criminals behind the DoppelPaymer Windows ransomware, in retaliation for an unpaid extortion demand. The …

Page:

  1. mt_head

    Anti-mortar system?

    I'm assuming that uses radar triangulation to determine the firing location, rather than actively try to ward off incoming rounds... unless technology has improved FAR more than I was aware of!

    1. A random security guy Bronze badge

      Re: Anti-mortar system?

      Damn. I was thinking of a giant badminton racket.

      1. Chris G Silver badge

        Re: Anti-mortar system?

        Badminton racket?

        Good choice, at least compared to a cricket bat.

        1. Anonymous Coward
          Anonymous Coward

          Re: Anti-mortar system?

          "[...] at least compared to a cricket bat."

          In a Modesty Blaise novel - possibly "The Impossible Virgin" - a cricket bat is used to project primed hand grenades from behind a wall.

          In a boys' comic of the 1960s. A story culminates in hand grenades being launched from a hand sling - following practice with small aubergines viz "egg plant".

          In both cases the grenades were the British Mills Bomb style.

          1. big_D Silver badge

            Re: Anti-mortar system?

            That brings back memories, sneaking my father's copy of Modesty Blaze out of his bookshelf...

        2. big_D Silver badge

          Re: Anti-mortar system?

          You've obviously never played Brokian Ultra Cricket...

      2. Anonymous Coward
        Anonymous Coward

        Re: Anti-mortar system?

        I was thinking more of a lacross stick or even a Basque pelota racket to intercept and return said ordinance back to sender ...

        1. herman Silver badge

          Re: Anti-mortar system?

          Catch the incoming with a giant Trebuchet and lob it back.

    2. Headley_Grange Silver badge

      Re: Anti-mortar system?

      Can't speak for the one in the article but there are anti-mortar systems that detect the incoming rounds and shoot them out of the sky. There's one based on the the Phalanx naval anti-missile system - Phalanx CIWS. Phalanx is primarily anti-missile, but it can be used against mortars and artillery, although probably with a lower hit-rate. Also note that the gun fires a shed-load of rounds in the general direction of the incoming - it doesn't knock them out of the sky with a single shot. More of a grouse shooter than a sniper.

    3. bazza Silver badge

      Re: Anti-mortar system?

      Yes, it’s learning the firing location that is the primary idea, so that you can lay in your own artillery on that location. The idea is, if you’re paying attention, to have your rounds heading back before theirs even land.

      Of course, if they’ve got the same sort of radar you probably want to be careful to fire back only if their rounds are on target, because they may be firing in a general direction to illicit your artillery response so they then learn your actual location...

      And if you throw in battlefield ESM too, your radar is giving away your location anyway, so you might not want to be using it routinely. That places an emphasis on keeping one’s ears open, switching your radar on only when you hear a thump, and make sure that your radar is well away from your artillery. But then you still have to second guess whether theirs are on target in the first place.

      All in all, best be sneaky and be somewhere else entirely.

      1. BebopWeBop Silver badge

        Re: Anti-mortar system?

        All in all, best be sneaky and be somewhere else entirely.

        Cowardice - you know it makes sense.

        1. Russell Chapman Esq.

          Re: Anti-mortar system?

          Not going to say where, when or why. But watching some lads play football in a walled in school yard and mortars whistling overhead, being fired by both sides. If you are in that situation cowardice really doesn't work, you have to get on with it.

          1. Persona Silver badge

            Re: Anti-mortar system?

            If you are in that situation cowardice really doesn't work

            A true coward (like me) goes to inordinate length to ensure never getting into that sort of situation.

        2. Ochib

          Re: Anti-mortar system?

          Various groups have worked out how to send mortar rounds days after the mortar has been put into position

          https://en.wikipedia.org/wiki/Heathrow_mortar_attacks

      2. Muscleguy Silver badge

        Re: Anti-mortar system?

        Just to nitpick slightly but mortars go crump, not thump. I'm slightly expert since the Barry Buddon military training firing range is within earshot of Muscleguy Towers, especially if the wind is from the East.

        The lower cycle path between here and Carnoustie goes right past it, on their side of the railway line. I have run along there with an absolutely furious fusillade of automatic fire sounding from the right without an issue. They let wander around when the flags are not flying and all the ranges have high earthen berms behind them and none face inland, just in case.

        Though they usually fire the mortars while I'm returning along the upper path by the A92 to Arbroath but the sound carries well up the hill so I'm familiar with the sound. Most of us can discern side arms, grenades, light automatic, heavy automatic and light artillery such as mortars which go Crump.

        If post viral lockdown anyone is interested in taking such a stroll drive to Monifieth centre and follow the signs to the beach where you leave the car. Walk to the shoreline and follow the path above the beach, if the flags are not flying. There should be a squaddy in the guard box to prevent you as well. They are very careful. There's even a marine exclusion zone as they are wont to put target pontoons out for the heavier stuff. You are strongly advised to leave anything interesting you might come across well alone though.

        It is also a good example of undeveloped coastlal Links which have not been turned into a golf course if you want an idea of how golf got started. You can walk all the way out to the lighthouses on the point as well.

      3. Claptrap314 Silver badge

        Re: Anti-mortar system?

        There is also the technique of "shoot and scoot", which is what mobile arty is all about these days. But yeah, when the stakes get high enough, the counter-counter-counter-counter strategy loses to the counter-counter-counter-counter-counter strategy. Unless the counter-counter-counter-counter strategy changes at the last minute. Then all bets are off.

      4. mt_head

        Re: Anti-mortar system?

        "The best block: no be there."

    4. low_resolution_foxxes Silver badge

      Re: Anti-mortar system?

      If I recall correctly, Lockheed have a 50kW laser weapon that can just heat rockets until they explode from several km distance. It can quite easily destroy planes. No suggestion they stole the docs for this though, as I imagine Lockheed have a variety of laser/radar/thermal scanning equipment in their portfolio.

      I would personally not want to upset someone with that kind of weapon in the warehouse.

      1. EveryTime

        Re: Anti-mortar system?

        Laser systems aren't a magic kill against missiles. Most rely on melting a small spot on the missile skin and have aerodynamic forces tear it apart or start it tumbling. The simple approach of spinning the missile nearly defeats this, although it takes a more sophisticated or much simpler (e.g. the original sidewinder, which was awesomely clever) control system to do this.

        1. Anonymous Coward
          Anonymous Coward

          Re: Anti-mortar system?

          "The simple approach of spinning the missile nearly defeats this, although it takes a more sophisticated or much simpler [...]"

          An enhancement of primitive spears was to wrap one end of a short thong round the shaft several times. The other end was attached to the thrower's arm. When the spear was thrown the unwinding thong caused the shaft to spin - thus stabilising it in flight and increasing its accuracy.

    5. The Man Who Fell To Earth Silver badge
      WTF?

      Chaff

      This is why my computers have tons of documents about our super-secret transporter beam project, our time machine project, our Zombie project, our Afterlife project (code named “San Junipero”), aging reversal project, human-to-host project (code named “Westworld”), ...

    6. Anonymous Coward
      Anonymous Coward

      Re: Anti-mortar system?

      There are various C-RAMS ssytems that the US has based on 2+ gatling guns firing a lot of lead and incendinaries to make life hard:

      Daylight test fire

      In action at night

      Not sure of the effective hit rate but it looks like they can target between 25-30 incoming rounds between reloads.

  2. Mark Exclamation Bronze badge

    It is total and utter negligence that this contractor has allowed this information to be accessed by unauthorised individuals. Visser Precision should be barred from any further contracts, and whoever is/are responsible for their computer security (depending on if it's due to denied funding or just plain incompetence) should be locked up for a very long time.

    1. sanmigueelbeer Silver badge

      That ship has sailed ...

      this contractor has allowed this information to be accessed by unauthorised individuals

      Oh that ship has sailed long, long time ago. As a matter of fact, that ship has even reached it's destination port and (may have) offloaded highly-classified cargo before anyone knew about it.

      1. robidy

        Re: That ship has sailed ...

        Quite, ransomware is likely a secondary infection to a not so sharp nation state actor.

    2. EricM

      You are not really familiar with computer security, are you?

      As a virtual real world example :

      Try to secure a building. You use Perimeter controls, fences, secure doors, alarms, etc. Not hard, right?

      Now try to imagine to secure a building where fences have holes you cannot see. Where walls have doors you cannot see. Some walls that used to exist forever are gone the next day. Some walls only look like walls when in reality they are just props from a film set. Where people that you cannot control are working on structural changes and who routinely refuse to tell you what they did. Where alarms notice some trespassers while ignoring others. Where you learn one day that while you thought you had the only keys to the building, the company who made the doors was handing out every key to every door they ever made to anyone who asked...

      Good luck with that...

      1. Chris G Silver badge

        Re: You are not really familiar with computer security, are you?

        To expand on your real world analogy, real world security is mostly about making it harder and more difficult to enter premises or steal a car.

        It doesn't make it impossible to enter, given enough time and some tools anyone can break into a bank vault or office but time is whatvreal word thieves don't have, they will be discovered and caught.

        Infoscabs on the other hand can operate unseen and mostly undetected usually until it is too late, even when they are detected, it is usually only their virtual presence o are difficult to catch and prosecute physically.

        1. Anonymous Coward
          Anonymous Coward

          Re: You are not really familiar with computer security, are you?

          "Infoscabs on the other hand can operate unseen and mostly undetected usually until it is too late"

          That is down to who is watching, like in the real world, scouting the place, usually don't notice them, but if they have found a way which isn't monitored, they may be able to get in unnoticed. It's this part which is the problem. Most places will say that they monitor everything, when in fact they monitor nothing, just log, or have random crap showing up. They don't know what to look for.

          Like with the bank job, someone cutting into a vault isn't normal, so is picked up and reported. Someone being some where they shouldn't is less likely to be, depending on who found them.

          Most stuff with online security is post break in as the people monitoring do not know what to look for as people do not know what our of the ordinary, unless it's so blatent.

        2. Trollslayer
          Thumb Up

          Re: You are not really familiar with computer security, are you?

          And the owner still has to be able to drive the car.

      2. Intractable Potsherd Silver badge

        Re: You are not really familiar with computer security, are you?

        @EricM: "Now try to imagine to secure a building where fences have holes you cannot see. Where walls have doors you cannot see. Some walls that used to exist forever are gone the next day. Some walls only look like walls when in reality they are just props from a film set. Where people that you cannot control are working on structural changes and who routinely refuse to tell you what they did. Where alarms notice some trespassers while ignoring others. Where you learn one day that while you thought you had the only keys to the building, the company who made the doors was handing out every key to every door they ever made to anyone who asked..."

        Now imagine the liability if you used that place to store hugely valuable stuff. You would have done your due diligence on the building before using it, and not taken someone else's word for its security. To do otherwise would find you liable for civil and possibly criminal action.

        The problem with infosec is that there is too little liability when things go wrong. It needs to hurt if you use a movie-prop instead of a reinforced wall.

        1. Pascal Monett Silver badge

          Re: It needs to hurt if you use a movie-prop instead of a reinforced wall

          If you're the one choosing that, then yes, but the problem is that you're counting on somebody who told you the wall was solid concrete, when actually it was just thin plaster.

          This is the state of computing today : Microsoft denies all responsibility if something goes wrong, anti-virus vendors do the same, everyone is functioning under "best effort" rules, and along the line, someone forgot the concrete.

          Not to mention that it is not specified how the miscreants managed to get into position to encrypt the files. A click on a wrong link is not too far-fetched.

          The real problem is that a defense contractor did not have sufficient intrusion detection. I'm guessing they had backups, but that won't keep the scum from publishing.

          Security is hard, that's for sure.

          1. amanfromMars 1 Silver badge

            Re: It needs to hurt if you use a movie-prop instead of a reinforced wall

            If you're the one choosing that, then yes, but the problem is that you're counting on somebody who told you the wall was solid concrete, when actually it was just thin plaster.

            This is the state of computing today : Microsoft denies all responsibility if something goes wrong, anti-virus vendors do the same, everyone is functioning under "best effort" rules, and along the line, someone forgot the concrete. ..... Pascal Monett

            So simply complex misdisinformation is the problem bastard child, Pascal Monett?

            A little twisted brother to the monstrous fcukup presently busy destroying money, bond and stock markets with their portfolios of bankrupt zombie operations and grand theft autocracies professed and processed to be untouchable and omnipotent rather than be known terrified of that and/or those au fait with being invisible and omniscient.

            Is that why dodgy corrupt command and control systems cannot handle novel information which they do not possess?

        2. EricM

          Re: You are not really familiar with computer security, are you?

          > Now imagine the liability if you used that place to store hugely valuable stuff. You would have done your due diligence on the building before using it, and not taken someone else's word for its security. To do otherwise would find you liable for civil and possibly criminal action.

          Accept criminal liability for security in a world where invisible doors exist and you cannot tell concrete and cardboard apart?

          I'd get a new job immediately, since no amount of due diligence will make sure I have not overlooked one of the invilible doors. Or that no new door will pop up due to changes made by somebody else tomorrow.

          1. Intractable Potsherd Silver badge

            Re: You are not really familiar with computer security, are you?

            @EricM: "... security in a world where invisible doors exist and you cannot tell concrete and cardboard apart?" That is part of what I'm talking about - is it a fundamental truth that invisible doors and papier maché walls will exist? If so, why?

            "... no new door will pop up due to changes made by somebody else tomorrow." Surely this is part of the problem - too much reliance on "somebody else".

            "... no amount of due diligence will make sure I have not overlooked one of the invisible doors." Then a new model is needed, and liability is a very effective way of doing that. Currently, we are at the pre-Factory Act* level, with risk externalised. That risk needs to become internal so that the metaphorical factories are built properly.

            *Not exactly analogous I admit, but illustrative.

            1. EricM

              Re: You are not really familiar with computer security, are you?

              > That is part of what I'm talking about - is it a fundamental truth that invisible doors and papier maché walls will exist? If so, why?

              Neccesarily. Whatever you need to do in computer security, securing Websites, Web-Apps or simply securing documents inside a company, you need to work with existing (and continually changing) hardware, firmware, drivers, operating systems, network protocol implementations, firewalls, management solutions, etc.

              Every component you work with is updated regularly (if you do it right). This means a) known bugs a closed, b) new features are added and c) new bugs are introduced, every single one a potential new door.

              On all architecture levels mentioned above - simultanously.

              > too much reliance on "somebody else".

              Yes, every application you create/run/maintain today sits on a ton of other software you cannot control.

              OK, you _could_ try to create a for example document management solution based on your own Hardrware, firmware, drivers OS, own network stack, own firewall code and finally own application.

              But you'd need to invest thousands (millions?) of man-years to create and test tons of new new code.

              And with an overwhelming probablitity your own code will have many more bugs than the stuff already on the market that has been tested in in thousands of installationson.

              So, yeah, relying on somebody else is a problem, but having to code everything up from bare matal yourself would pose a worse problem in terms of security, let alone feasability.

              1. Intractable Potsherd Silver badge

                Re: You are not really familiar with computer security, are you?

                @EricM: Thanks for a comprehensive explanation of the current situation. However, you can't derive an "ought" from an "is". The current situation has grown into a clusterfuck, but lack of liability is part of that. There is no incentive to fix it at the moment - you (and I'm sure you are good at your job) are dependent on the weakest coder working for the lowest bidder. Given that the importance of computers to modern society is more important than coal to the industrial revolution, this cannot, morally or practically, be allowed to go on - this the law needs to step up and wield a baseball-bat to the industry.

            2. Anonymous Coward
              Anonymous Coward

              Re: You are not really familiar with computer security, are you?

              I’m currently being pressured into doing stupid things because people who don’t have my skill set think it’s a better way of doing my job.

              That’s why stupid invisible doors in invisible walls get built.

              Another 1 I spotted the other week, a part of the business complaining network connectivity isn’t working, demanding we escalate to get it to work. Simple questions like what is the hi level design and what do you need to connect to what go unanswered, just demands to allow through ip ranges but no detail as to what to allow the, through to. An old change request raised Over a year ago showed a change was made 3 weeks ago to accommodate this request and was performed by a junior engineer who did not question the intention and applied access to an existing rule.

              Turned out the access they needed was to a cloud deployed system, not managed by us with no visibility by us, and we have had no further contact from that business unit since they fixed their issue. Questions about PII/Pci etc also unanswered.

              That unnecessary access they got implemented is still there though. Can I get a change approved to remove it, no, who’s gonna pay for that?

              That’s how invisible doors in paper thin walls get made. no one is ever going to close it

      3. smudge

        Re: You are not really familiar with computer security, are you?

        Now try to imagine to secure a building where fences have holes you cannot see....

        So you encrypt your data when it's at rest.

        You may not see the holes, but you should know where they will be. You set up firewall rules with a whitelist for the only permitted external connections. You disallow externally initiated conections through the firewall, although I'll accept that in this case the ransomware probably initiated connections from inside the firewall - though it's still worth seeing what you could do in that area.

        And ultimately, of course, if the sensitivity of the information is great enough, you air gap your systems - with no connections to the outside world.

        And so on....

        1. EricM

          Re: You are not really familiar with computer security, are you?

          Sure you do that - you block all known attack vectors to access the data.

          Until someone comes up with a new idea or - as is likely in this case - someone turns an authorized user's computer into a trojan horse that effectively steals the documents.

          For encryption at rest:

          Many people think that's a silver bullet, however, if continous accessability of the information is part of the requirement (which is true in most cases) you need to distribute the password/private key in some form to the point of access, otherwise even the authorized end user cannot read and work with the data. That's why I tend to view most implementations of encryption at rest somewhat as snake oil. The just make it somewhat harder to extract cleartext data.

          Same problem with air-gapping systems.

          In this case you need to bring every user of the data behind the air gap. Which excludes such a solution from most real-world scenarios.

          Especially in complex distributed development, where optimized sharing of documentation/information is regarded as key to mission success..

      4. tip pc Silver badge

        Re: You are not really familiar with computer security, are you?

        Another analogy is to invest trillions in people technology, buying influence etc etc to learn state secrets and then declare some secret about a foreign state to your president who then blabs about it on tv or twitter.

        All the security, processes and technology won’t defeat that unless the process is not to tell the President for fear of unraveling everything.

        1. Anonymous Coward
          Anonymous Coward

          Re: You are not really familiar with computer security, are you?

          Allowing internet access to your secure systems is fundementally a bad decision if you want to retain security.

          Again with the banking analogy breaking in is one thing getting out with the loot is another, if the only way to access the data is by physically being in a secure and policed area then the chances of catching the bad guy before he causes you real issues are much better than where the bad guy can be sitting at home in a different country.

          Given the number of recent US security breaches that were down to "security inept"/stupid contractors not taking the same security measures as their client then one wonders if allowing extrernal contractors is really a good idea, assuming of course that these leaks are not intentional misdirection.

          1. Anonymous Coward
            Anonymous Coward

            Re: You are not really familiar with computer security, are you?

            in the olden days, default gateways where to a black hole on each site and each router.

            We are now being asked to implement default gateways so that cloud services work, from Meraki, to Google services, to ring central, to zoom, to cloud hosted offerings with Load Balancers.

            fundamental basic security is continually undermined to enable stupid cloud offerings that replace perfectly functioning internal systems.

      5. Anonymous Coward
        Anonymous Coward

        Re: You are not really familiar with computer security, are you?

        You forgot to add "And where the security staff make genuine, justified access to the building such a nightmare of locks, checks and sheer bloody-mindedness that every employee who can arranges his or her own private gate into the most secure areas.

      6. Wibble

        Re: You are not really familiar with computer security, are you?

        * Security

        * Ease of use

        * Low cost

        Pick any two

    3. robidy

      That's awesome if you want a cover up, in cyber security the most effective operate a blame free culture, learning from mistake and implementing effective controls.

      Please don't get a job in cyber security, we need to reduce breaches.

      ...and yes I suspect it was started by something basic...just someone opening an email on a system due a patch that day.

    4. NeilPost Silver badge

      Is it not total negligence that these companies allowed this Contractor/Partner what seems casual access to commercially sensitive and perhaps classified military tech - and allows them to download it into their organisation.

      I mean WTAF?!

      1. Irongut
        Thumb Down

        So you expect a contractor to work on a project without any of the information for that project? It'll be good when you can go back to school and stop bothering the grown-ups.

    5. Malcolm Weir

      This sort of data sounds like sensitive, but not classified, information (a category called "controlled unclassified information", CUI). In the US, the prevailing attitude is not that suppliers "should be barred" so much as noting that they (Visser) may have difficulty getting new contracts from their customers (whose data they allowed to leak)...

    6. Trollslayer

      Risk management

      There is always risk and one incident is not statistically significant.

      The time they have gone without a successful attack is.

    7. ecofeco Silver badge

      I'm not getting all your downvotes.

      Visser is obviously at fault there.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021