back to article Ransomware scumbags leak Boeing, Lockheed Martin, SpaceX documents after contractor refuses to pay

Internal confidential documents belonging to some of the largest aerospace companies in the world have been stolen from an industrial contractor and leaked online. The data was pilfered and dumped on the internet by the criminals behind the DoppelPaymer Windows ransomware, in retaliation for an unpaid extortion demand. The …

  1. mt_head

    Anti-mortar system?

    I'm assuming that uses radar triangulation to determine the firing location, rather than actively try to ward off incoming rounds... unless technology has improved FAR more than I was aware of!

    1. A random security guy

      Re: Anti-mortar system?

      Damn. I was thinking of a giant badminton racket.

      1. Chris G

        Re: Anti-mortar system?

        Badminton racket?

        Good choice, at least compared to a cricket bat.

        1. Anonymous Coward
          Anonymous Coward

          Re: Anti-mortar system?

          "[...] at least compared to a cricket bat."

          In a Modesty Blaise novel - possibly "The Impossible Virgin" - a cricket bat is used to project primed hand grenades from behind a wall.

          In a boys' comic of the 1960s. A story culminates in hand grenades being launched from a hand sling - following practice with small aubergines viz "egg plant".

          In both cases the grenades were the British Mills Bomb style.

          1. big_D

            Re: Anti-mortar system?

            That brings back memories, sneaking my father's copy of Modesty Blaze out of his bookshelf...

        2. big_D

          Re: Anti-mortar system?

          You've obviously never played Brokian Ultra Cricket...

      2. Anonymous Coward
        Anonymous Coward

        Re: Anti-mortar system?

        I was thinking more of a lacross stick or even a Basque pelota racket to intercept and return said ordinance back to sender ...

        1. herman Silver badge

          Re: Anti-mortar system?

          Catch the incoming with a giant Trebuchet and lob it back.

    2. Headley_Grange Silver badge

      Re: Anti-mortar system?

      Can't speak for the one in the article but there are anti-mortar systems that detect the incoming rounds and shoot them out of the sky. There's one based on the the Phalanx naval anti-missile system - Phalanx CIWS. Phalanx is primarily anti-missile, but it can be used against mortars and artillery, although probably with a lower hit-rate. Also note that the gun fires a shed-load of rounds in the general direction of the incoming - it doesn't knock them out of the sky with a single shot. More of a grouse shooter than a sniper.

    3. bazza Silver badge

      Re: Anti-mortar system?

      Yes, it’s learning the firing location that is the primary idea, so that you can lay in your own artillery on that location. The idea is, if you’re paying attention, to have your rounds heading back before theirs even land.

      Of course, if they’ve got the same sort of radar you probably want to be careful to fire back only if their rounds are on target, because they may be firing in a general direction to illicit your artillery response so they then learn your actual location...

      And if you throw in battlefield ESM too, your radar is giving away your location anyway, so you might not want to be using it routinely. That places an emphasis on keeping one’s ears open, switching your radar on only when you hear a thump, and make sure that your radar is well away from your artillery. But then you still have to second guess whether theirs are on target in the first place.

      All in all, best be sneaky and be somewhere else entirely.

      1. BebopWeBop

        Re: Anti-mortar system?

        All in all, best be sneaky and be somewhere else entirely.

        Cowardice - you know it makes sense.

        1. Russell Chapman Esq.

          Re: Anti-mortar system?

          Not going to say where, when or why. But watching some lads play football in a walled in school yard and mortars whistling overhead, being fired by both sides. If you are in that situation cowardice really doesn't work, you have to get on with it.

          1. Persona Silver badge

            Re: Anti-mortar system?

            If you are in that situation cowardice really doesn't work

            A true coward (like me) goes to inordinate length to ensure never getting into that sort of situation.

        2. Ochib

          Re: Anti-mortar system?

          Various groups have worked out how to send mortar rounds days after the mortar has been put into position

          https://en.wikipedia.org/wiki/Heathrow_mortar_attacks

      2. Muscleguy

        Re: Anti-mortar system?

        Just to nitpick slightly but mortars go crump, not thump. I'm slightly expert since the Barry Buddon military training firing range is within earshot of Muscleguy Towers, especially if the wind is from the East.

        The lower cycle path between here and Carnoustie goes right past it, on their side of the railway line. I have run along there with an absolutely furious fusillade of automatic fire sounding from the right without an issue. They let wander around when the flags are not flying and all the ranges have high earthen berms behind them and none face inland, just in case.

        Though they usually fire the mortars while I'm returning along the upper path by the A92 to Arbroath but the sound carries well up the hill so I'm familiar with the sound. Most of us can discern side arms, grenades, light automatic, heavy automatic and light artillery such as mortars which go Crump.

        If post viral lockdown anyone is interested in taking such a stroll drive to Monifieth centre and follow the signs to the beach where you leave the car. Walk to the shoreline and follow the path above the beach, if the flags are not flying. There should be a squaddy in the guard box to prevent you as well. They are very careful. There's even a marine exclusion zone as they are wont to put target pontoons out for the heavier stuff. You are strongly advised to leave anything interesting you might come across well alone though.

        It is also a good example of undeveloped coastlal Links which have not been turned into a golf course if you want an idea of how golf got started. You can walk all the way out to the lighthouses on the point as well.

      3. Claptrap314 Silver badge

        Re: Anti-mortar system?

        There is also the technique of "shoot and scoot", which is what mobile arty is all about these days. But yeah, when the stakes get high enough, the counter-counter-counter-counter strategy loses to the counter-counter-counter-counter-counter strategy. Unless the counter-counter-counter-counter strategy changes at the last minute. Then all bets are off.

      4. mt_head

        Re: Anti-mortar system?

        "The best block: no be there."

    4. low_resolution_foxxes

      Re: Anti-mortar system?

      If I recall correctly, Lockheed have a 50kW laser weapon that can just heat rockets until they explode from several km distance. It can quite easily destroy planes. No suggestion they stole the docs for this though, as I imagine Lockheed have a variety of laser/radar/thermal scanning equipment in their portfolio.

      I would personally not want to upset someone with that kind of weapon in the warehouse.

      1. EveryTime

        Re: Anti-mortar system?

        Laser systems aren't a magic kill against missiles. Most rely on melting a small spot on the missile skin and have aerodynamic forces tear it apart or start it tumbling. The simple approach of spinning the missile nearly defeats this, although it takes a more sophisticated or much simpler (e.g. the original sidewinder, which was awesomely clever) control system to do this.

        1. Anonymous Coward
          Anonymous Coward

          Re: Anti-mortar system?

          "The simple approach of spinning the missile nearly defeats this, although it takes a more sophisticated or much simpler [...]"

          An enhancement of primitive spears was to wrap one end of a short thong round the shaft several times. The other end was attached to the thrower's arm. When the spear was thrown the unwinding thong caused the shaft to spin - thus stabilising it in flight and increasing its accuracy.

    5. The Man Who Fell To Earth Silver badge
      WTF?

      Chaff

      This is why my computers have tons of documents about our super-secret transporter beam project, our time machine project, our Zombie project, our Afterlife project (code named “San Junipero”), aging reversal project, human-to-host project (code named “Westworld”), ...

    6. Anonymous Coward
      Anonymous Coward

      Re: Anti-mortar system?

      There are various C-RAMS ssytems that the US has based on 2+ gatling guns firing a lot of lead and incendinaries to make life hard:

      Daylight test fire

      In action at night

      Not sure of the effective hit rate but it looks like they can target between 25-30 incoming rounds between reloads.

  2. Mark Exclamation

    It is total and utter negligence that this contractor has allowed this information to be accessed by unauthorised individuals. Visser Precision should be barred from any further contracts, and whoever is/are responsible for their computer security (depending on if it's due to denied funding or just plain incompetence) should be locked up for a very long time.

    1. sanmigueelbeer

      That ship has sailed ...

      this contractor has allowed this information to be accessed by unauthorised individuals

      Oh that ship has sailed long, long time ago. As a matter of fact, that ship has even reached it's destination port and (may have) offloaded highly-classified cargo before anyone knew about it.

      1. robidy

        Re: That ship has sailed ...

        Quite, ransomware is likely a secondary infection to a not so sharp nation state actor.

    2. EricM

      You are not really familiar with computer security, are you?

      As a virtual real world example :

      Try to secure a building. You use Perimeter controls, fences, secure doors, alarms, etc. Not hard, right?

      Now try to imagine to secure a building where fences have holes you cannot see. Where walls have doors you cannot see. Some walls that used to exist forever are gone the next day. Some walls only look like walls when in reality they are just props from a film set. Where people that you cannot control are working on structural changes and who routinely refuse to tell you what they did. Where alarms notice some trespassers while ignoring others. Where you learn one day that while you thought you had the only keys to the building, the company who made the doors was handing out every key to every door they ever made to anyone who asked...

      Good luck with that...

      1. Chris G

        Re: You are not really familiar with computer security, are you?

        To expand on your real world analogy, real world security is mostly about making it harder and more difficult to enter premises or steal a car.

        It doesn't make it impossible to enter, given enough time and some tools anyone can break into a bank vault or office but time is whatvreal word thieves don't have, they will be discovered and caught.

        Infoscabs on the other hand can operate unseen and mostly undetected usually until it is too late, even when they are detected, it is usually only their virtual presence o are difficult to catch and prosecute physically.

        1. Anonymous Coward
          Anonymous Coward

          Re: You are not really familiar with computer security, are you?

          "Infoscabs on the other hand can operate unseen and mostly undetected usually until it is too late"

          That is down to who is watching, like in the real world, scouting the place, usually don't notice them, but if they have found a way which isn't monitored, they may be able to get in unnoticed. It's this part which is the problem. Most places will say that they monitor everything, when in fact they monitor nothing, just log, or have random crap showing up. They don't know what to look for.

          Like with the bank job, someone cutting into a vault isn't normal, so is picked up and reported. Someone being some where they shouldn't is less likely to be, depending on who found them.

          Most stuff with online security is post break in as the people monitoring do not know what to look for as people do not know what our of the ordinary, unless it's so blatent.

        2. Trollslayer
          Thumb Up

          Re: You are not really familiar with computer security, are you?

          And the owner still has to be able to drive the car.

      2. Intractable Potsherd

        Re: You are not really familiar with computer security, are you?

        @EricM: "Now try to imagine to secure a building where fences have holes you cannot see. Where walls have doors you cannot see. Some walls that used to exist forever are gone the next day. Some walls only look like walls when in reality they are just props from a film set. Where people that you cannot control are working on structural changes and who routinely refuse to tell you what they did. Where alarms notice some trespassers while ignoring others. Where you learn one day that while you thought you had the only keys to the building, the company who made the doors was handing out every key to every door they ever made to anyone who asked..."

        Now imagine the liability if you used that place to store hugely valuable stuff. You would have done your due diligence on the building before using it, and not taken someone else's word for its security. To do otherwise would find you liable for civil and possibly criminal action.

        The problem with infosec is that there is too little liability when things go wrong. It needs to hurt if you use a movie-prop instead of a reinforced wall.

        1. Pascal Monett Silver badge

          Re: It needs to hurt if you use a movie-prop instead of a reinforced wall

          If you're the one choosing that, then yes, but the problem is that you're counting on somebody who told you the wall was solid concrete, when actually it was just thin plaster.

          This is the state of computing today : Microsoft denies all responsibility if something goes wrong, anti-virus vendors do the same, everyone is functioning under "best effort" rules, and along the line, someone forgot the concrete.

          Not to mention that it is not specified how the miscreants managed to get into position to encrypt the files. A click on a wrong link is not too far-fetched.

          The real problem is that a defense contractor did not have sufficient intrusion detection. I'm guessing they had backups, but that won't keep the scum from publishing.

          Security is hard, that's for sure.

          1. amanfromMars 1 Silver badge

            Re: It needs to hurt if you use a movie-prop instead of a reinforced wall

            If you're the one choosing that, then yes, but the problem is that you're counting on somebody who told you the wall was solid concrete, when actually it was just thin plaster.

            This is the state of computing today : Microsoft denies all responsibility if something goes wrong, anti-virus vendors do the same, everyone is functioning under "best effort" rules, and along the line, someone forgot the concrete. ..... Pascal Monett

            So simply complex misdisinformation is the problem bastard child, Pascal Monett?

            A little twisted brother to the monstrous fcukup presently busy destroying money, bond and stock markets with their portfolios of bankrupt zombie operations and grand theft autocracies professed and processed to be untouchable and omnipotent rather than be known terrified of that and/or those au fait with being invisible and omniscient.

            Is that why dodgy corrupt command and control systems cannot handle novel information which they do not possess?

        2. EricM

          Re: You are not really familiar with computer security, are you?

          > Now imagine the liability if you used that place to store hugely valuable stuff. You would have done your due diligence on the building before using it, and not taken someone else's word for its security. To do otherwise would find you liable for civil and possibly criminal action.

          Accept criminal liability for security in a world where invisible doors exist and you cannot tell concrete and cardboard apart?

          I'd get a new job immediately, since no amount of due diligence will make sure I have not overlooked one of the invilible doors. Or that no new door will pop up due to changes made by somebody else tomorrow.

          1. Intractable Potsherd

            Re: You are not really familiar with computer security, are you?

            @EricM: "... security in a world where invisible doors exist and you cannot tell concrete and cardboard apart?" That is part of what I'm talking about - is it a fundamental truth that invisible doors and papier maché walls will exist? If so, why?

            "... no new door will pop up due to changes made by somebody else tomorrow." Surely this is part of the problem - too much reliance on "somebody else".

            "... no amount of due diligence will make sure I have not overlooked one of the invisible doors." Then a new model is needed, and liability is a very effective way of doing that. Currently, we are at the pre-Factory Act* level, with risk externalised. That risk needs to become internal so that the metaphorical factories are built properly.

            *Not exactly analogous I admit, but illustrative.

            1. EricM

              Re: You are not really familiar with computer security, are you?

              > That is part of what I'm talking about - is it a fundamental truth that invisible doors and papier maché walls will exist? If so, why?

              Neccesarily. Whatever you need to do in computer security, securing Websites, Web-Apps or simply securing documents inside a company, you need to work with existing (and continually changing) hardware, firmware, drivers, operating systems, network protocol implementations, firewalls, management solutions, etc.

              Every component you work with is updated regularly (if you do it right). This means a) known bugs a closed, b) new features are added and c) new bugs are introduced, every single one a potential new door.

              On all architecture levels mentioned above - simultanously.

              > too much reliance on "somebody else".

              Yes, every application you create/run/maintain today sits on a ton of other software you cannot control.

              OK, you _could_ try to create a for example document management solution based on your own Hardrware, firmware, drivers OS, own network stack, own firewall code and finally own application.

              But you'd need to invest thousands (millions?) of man-years to create and test tons of new new code.

              And with an overwhelming probablitity your own code will have many more bugs than the stuff already on the market that has been tested in in thousands of installationson.

              So, yeah, relying on somebody else is a problem, but having to code everything up from bare matal yourself would pose a worse problem in terms of security, let alone feasability.

              1. Intractable Potsherd

                Re: You are not really familiar with computer security, are you?

                @EricM: Thanks for a comprehensive explanation of the current situation. However, you can't derive an "ought" from an "is". The current situation has grown into a clusterfuck, but lack of liability is part of that. There is no incentive to fix it at the moment - you (and I'm sure you are good at your job) are dependent on the weakest coder working for the lowest bidder. Given that the importance of computers to modern society is more important than coal to the industrial revolution, this cannot, morally or practically, be allowed to go on - this the law needs to step up and wield a baseball-bat to the industry.

            2. Anonymous Coward
              Anonymous Coward

              Re: You are not really familiar with computer security, are you?

              I’m currently being pressured into doing stupid things because people who don’t have my skill set think it’s a better way of doing my job.

              That’s why stupid invisible doors in invisible walls get built.

              Another 1 I spotted the other week, a part of the business complaining network connectivity isn’t working, demanding we escalate to get it to work. Simple questions like what is the hi level design and what do you need to connect to what go unanswered, just demands to allow through ip ranges but no detail as to what to allow the, through to. An old change request raised Over a year ago showed a change was made 3 weeks ago to accommodate this request and was performed by a junior engineer who did not question the intention and applied access to an existing rule.

              Turned out the access they needed was to a cloud deployed system, not managed by us with no visibility by us, and we have had no further contact from that business unit since they fixed their issue. Questions about PII/Pci etc also unanswered.

              That unnecessary access they got implemented is still there though. Can I get a change approved to remove it, no, who’s gonna pay for that?

              That’s how invisible doors in paper thin walls get made. no one is ever going to close it

      3. smudge

        Re: You are not really familiar with computer security, are you?

        Now try to imagine to secure a building where fences have holes you cannot see....

        So you encrypt your data when it's at rest.

        You may not see the holes, but you should know where they will be. You set up firewall rules with a whitelist for the only permitted external connections. You disallow externally initiated conections through the firewall, although I'll accept that in this case the ransomware probably initiated connections from inside the firewall - though it's still worth seeing what you could do in that area.

        And ultimately, of course, if the sensitivity of the information is great enough, you air gap your systems - with no connections to the outside world.

        And so on....

        1. EricM

          Re: You are not really familiar with computer security, are you?

          Sure you do that - you block all known attack vectors to access the data.

          Until someone comes up with a new idea or - as is likely in this case - someone turns an authorized user's computer into a trojan horse that effectively steals the documents.

          For encryption at rest:

          Many people think that's a silver bullet, however, if continous accessability of the information is part of the requirement (which is true in most cases) you need to distribute the password/private key in some form to the point of access, otherwise even the authorized end user cannot read and work with the data. That's why I tend to view most implementations of encryption at rest somewhat as snake oil. The just make it somewhat harder to extract cleartext data.

          Same problem with air-gapping systems.

          In this case you need to bring every user of the data behind the air gap. Which excludes such a solution from most real-world scenarios.

          Especially in complex distributed development, where optimized sharing of documentation/information is regarded as key to mission success..

      4. tip pc Silver badge

        Re: You are not really familiar with computer security, are you?

        Another analogy is to invest trillions in people technology, buying influence etc etc to learn state secrets and then declare some secret about a foreign state to your president who then blabs about it on tv or twitter.

        All the security, processes and technology won’t defeat that unless the process is not to tell the President for fear of unraveling everything.

        1. Anonymous Coward
          Anonymous Coward

          Re: You are not really familiar with computer security, are you?

          Allowing internet access to your secure systems is fundementally a bad decision if you want to retain security.

          Again with the banking analogy breaking in is one thing getting out with the loot is another, if the only way to access the data is by physically being in a secure and policed area then the chances of catching the bad guy before he causes you real issues are much better than where the bad guy can be sitting at home in a different country.

          Given the number of recent US security breaches that were down to "security inept"/stupid contractors not taking the same security measures as their client then one wonders if allowing extrernal contractors is really a good idea, assuming of course that these leaks are not intentional misdirection.

          1. Anonymous Coward
            Anonymous Coward

            Re: You are not really familiar with computer security, are you?

            in the olden days, default gateways where to a black hole on each site and each router.

            We are now being asked to implement default gateways so that cloud services work, from Meraki, to Google services, to ring central, to zoom, to cloud hosted offerings with Load Balancers.

            fundamental basic security is continually undermined to enable stupid cloud offerings that replace perfectly functioning internal systems.

      5. Anonymous Coward
        Anonymous Coward

        Re: You are not really familiar with computer security, are you?

        You forgot to add "And where the security staff make genuine, justified access to the building such a nightmare of locks, checks and sheer bloody-mindedness that every employee who can arranges his or her own private gate into the most secure areas.

      6. Wibble

        Re: You are not really familiar with computer security, are you?

        * Security

        * Ease of use

        * Low cost

        Pick any two

    3. robidy

      That's awesome if you want a cover up, in cyber security the most effective operate a blame free culture, learning from mistake and implementing effective controls.

      Please don't get a job in cyber security, we need to reduce breaches.

      ...and yes I suspect it was started by something basic...just someone opening an email on a system due a patch that day.

    4. NeilPost

      Is it not total negligence that these companies allowed this Contractor/Partner what seems casual access to commercially sensitive and perhaps classified military tech - and allows them to download it into their organisation.

      I mean WTAF?!

      1. Irongut Silver badge
        Thumb Down

        So you expect a contractor to work on a project without any of the information for that project? It'll be good when you can go back to school and stop bothering the grown-ups.

    5. Malcolm Weir

      This sort of data sounds like sensitive, but not classified, information (a category called "controlled unclassified information", CUI). In the US, the prevailing attitude is not that suppliers "should be barred" so much as noting that they (Visser) may have difficulty getting new contracts from their customers (whose data they allowed to leak)...

    6. Trollslayer

      Risk management

      There is always risk and one incident is not statistically significant.

      The time they have gone without a successful attack is.

    7. ecofeco Silver badge

      I'm not getting all your downvotes.

      Visser is obviously at fault there.

  3. Free treacle

    Terrifying to think industry leaders in security practices can be hit so badly by an attack. This must have been highly targetted to access this level of information; I wonder how they did it?

    I stand with Lockheed Martin on the handling of the situation though; as soon as the data was lost the worst had already happened. Throwing money down the pit doesn't guarantee the data can be recovered or kept/leaked. Never pay the ransom guys.

    1. Anonymous Coward
      Anonymous Coward

      "Terrifying to think industry leaders in security practices can be hit so badly by an attack."

      I'm not surprised by anything these day, IT is now a sector were it is considered an improvement by itself to put your data elsewhere.

      Security and continuity are just a paper excersize these days, GDPR isn't making a difference at all in practice. And decision makers neither care nor understand IT at all these days. All they do is make chairs rotate until they get the answer they want to hear.

      There surely will be exceptions but there is definitely a trend going on.

      1. NeilPost

        GDPR isn’t making a difference... because the 2 high profile fines go BA and Marriott were deferred/put to appeal.

        In the current economic catastrophe/climate, they will be watered down to nothing.

        Without fines that hurt badly, GDPR will continue to be ignored. Perhaps some CEO jail-time is a happy medium in these trying times. That won’t put a burden on the companies. Willie Walsh - 12 months in the Scrubs.

        1. BebopWeBop

          A bit tough on the other inhabitants of Wormwood?

        2. robidy

          R u havin' a tough time quarantining?

    2. AndrueC Silver badge
      Stop

      It also sends a useful message to these scum: Don't bother attacking us again - you're just wasting your time and risking your freedom for nothing.

      If everyone did that in such situations (and including kidnappings) the crimes would be far less common. Every time someone gives in to extortion they propagate the evil practice.

      1. Anonymous Coward
        Anonymous Coward

        Knock one down, pass it around...

        Um, yeah, but it's hard to be one of the first 99 sops that are sampled for backbone. In other words, your being safe from the prospect of extortion requires a lot of sacrifice from others. You know, the 'they' you mentioned in passing...

        1. robidy

          Re: Knock one down, pass it around...

          Doesn't make him wrong.

        2. Doctor Syntax Silver badge

          Re: Knock one down, pass it around...

          Having the data encrypted and trusting someone who says they'll sell you the keys is one thing. But if someone has actually got a copy of your material which is going to be valuable to others would you really trust them not to sell it on however much you pay them? If you can trace them it would be better to spend the money on some heavies. Real heavies.

          1. Anonymous Coward
            Anonymous Coward

            Re: Knock one down, pass it around...

            Not really. Because they could have heavies of their own. HEAVIER heavies.

      2. IGotOut Silver badge

        "If everyone did that in such situations (and including kidnappings) the crimes would be far less common. "

        Rubbish.

        If that were the case, places with the death penalty would have no murders. Oddly in the US states with the death penalty tend to have the highest murder rates.

        1. Richard 12 Silver badge
          FAIL

          Very, very wrong

          A murder is almost always either an end in itself or a side effect of the intended crime. People commit murders because they either very much want someone dead, or because "something went wrong" when threatening murder to commit some other crime.

          Extortion, kidnapping and blackmail are neither of those things. They are always a means to an end, never an end in themselves. Usually it's to get money, but sometimes other things.

          If it did not get them money etc, they wouldn't bother with ransomware. They'd do something else that does get them the money.

          Oh, and the penalty is not particularly relevant, only the chance of having the penalty applied.

          The death penalty also means mass murder is safer than one murder, because leaving witnesses means a higher chance of conviction.

      3. amanfromMars 1 Silver badge

        We’re all in this together .... is for suckers and plonkers.

        Every time someone gives in to extortion they propagate the evil practice. ....... AndreuC

        Is government taxation an evil extortion practice? How well are the trillions paid into such unicorn coffers delivering for you? Have you received your £10,000 yet for working from home or is that only for members of Parliament and locally elected legislative assemblies .... https://www.belfasttelegraph.co.uk/news/health/coronavirus/coronavirus-ni-mps-defend-offer-of-extra-10000-expenses-for-working-from-home-39117858.html

      4. ShadowDragon8685

        > If everyone did that in such situations (and including kidnappings) the crimes would be far less common.

        By the same logic, a bulletproof solution to hostage-taking as any kind of tactic at all would be a policy of killing everyone, hostages included.

        For some reason, people get notoriously pissy if you slaughter their kinfolk as the sacrificial lambs to ensure that would-be hostage-takers know that you don't fuck around and have an explicit policy of ensuring a 100% kill ratio of hostage-takers at any cost.

      5. David 164

        In this case, all the good stuff they probably tried selling it to third parties first, who probably turned and said they already had it all!

    3. bombastic bob Silver badge
      Devil

      "I wonder how they did it?"

      Chances are, the same way RSA was hit some years ago - low level accountant's login/PC, spear-phished document, allowed scripting when previewing/opening such documents. On WIndows. In Outlook. Or with MS Office. And auto-run scripts aren't completely disabled. And the attachments get "clicked on" in the e-mail. Of course.

      It was like a running joke at this one place I was on site - "the accountant" regularly had to have her PC disinfected.

      I (and probably everyone else) regularly get these "invoice attached" e-mails with shady 'from' addresses, and of course, documents attached that I must view somehow to get the gist of the message. Fortunately for me, I'm NOT running windows (or in particular, Outlook) when I read my e-mail... NOR (especially) do I view e-mail as HTML [or run a mail reader that PREVIEWS ATTACHMENTS like Virus Outbreak probably still does]. (and don't even get me started on web mail... ugh). If everyone ELSE were to do this, we wouldn't have ransomware problems. General vulnerability would be too low for them to bother trying. "Safe Surfing" in other words.

      (and I also save files to disk and USE THE VIEWING APPLICATION ITSELF via "file open" or a command line if it appears to be something legit). "libreoffice filename" (from bash) usually works.

      1. Palpy

        Education is incomplete.

        To wit, where I used to work at least two outside engineers (not IT, construction) routinely emailed documents from unrecognized accounts (home? phone? WTF?) and subject lines like "heres pdf for filtration project plz review". The email itself would typically contain no text, just an attached document.

        It was a great way to prep an organization for successful spear-phishing.

        Idiots.

      2. Irongut Silver badge

        Ah Bob, I want to upvote your first paragraph but then you have to go all rabid in the second as usual. FYI I've run Windows and Outlook for the last 25+ years. Would you like to know how many virus infections I've had? None.

        Software has nothing to do with it. Sensible security practices like not opening messages from people you don't know or attachments that you're not expecting and have no message content are all that is really needed.

        1. Charles 9

          "Sensible security practices..."

          ...is an oxymoron in most places. And most times, the problem comes from up top, where saying no isn't an option.

    4. Version 1.0 Silver badge
      Pirate

      Q: I wonder how they did it?

      A: You research the target and send them an email that looks like something that they would expect to see and would open quickly. The email probably appear to be from (or might even have been sent from) Lockheed, SpaceX or another existing customer with a request for a new quote, payment details, a security notification, a spreadsheet, a link to a new project website, etc.

      Or you hack an employees computer at home and wait for them to log into work - remember that there have been a lot of information leaks like the Equifax leak that mean that the dark side of the web knows who's working for most companies - so you just pick the company that they want to target.

    5. a_yank_lurker

      I would guess a phishing attack that hit a target with enough permissions to be interesting.

  4. Anonymous Coward
    Anonymous Coward

    Nice of them to promise not to attack healthcare

    Oh wait, that was just during the current pandemic.

    Which kinda implies they consider healthcare a "legitimate" target at any other time. Which means they consider any and all of us as legitimate targets. Rather than paying them off, maybe the tech firms could consider using their resources to track these "people" down and pass the information on to someone capable of taking the scum offline " with extreme prejudice"?

    1. robidy

      Re: Nice of them to promise not to attack healthcare

      Not sure why el Reg mentioned that, other news outlets have run similar statements...there is no need for a nice side perspective of those holding people/data hostage.

    2. a_yank_lurker

      Re: Nice of them to promise not to attack healthcare

      rather permanently offline and left to see if vultures (real ones) have any standards.

  5. Lord Elpuss Silver badge

    "To their slight credit, DoppelPaymer has vowed to lay off attacking hospitals during the coronavirus pandemic."

    Excuse me? No credit whatsoever is deserved here.

    1. Wellyboot Silver badge

      None at all, it's just self interest in case they end up in a hospital facility that is attacked.

    2. Anonymous Coward
      Anonymous Coward

      > To their slight credit, DoppelPaymer has vowed to lay off attacking hospitals during the coronavirus pandemic.

      Yeah, No creidt deseved. they're just trying to score points there, and anyway, to me it read "hospitals are fair game outside the coronavirus pandemic".

  6. John Savard

    Pity

    Unauthorized possession of classified military information is a serious crime.

    Unfortunately, if these miscreants live in a country hostile to the United States, which would like to get its hands on American defense secrets, it's unlikely that this will help to lead to their prosecution.

    Thus, there's an urgent need to make nuclear weapons obsolete, so that the United States can have something better, with which to effect regime change in Russia and China. Then our computers will be safer, because ransomware scum would have no place to hide.

    While we're waiting for this to happen, though, Microsoft needs to fix Windows so that things like this just can't happen. If you want to install a disk encryption utility, that should have to happen before Windows boots up - in a special "install mode" of the operating system that you only get into if you want to, something like getting into the BIOS on startup.

    1. paulll

      Re: Pity

      "so that the United States can have something better, with which to effect regime change in Russia and China."

      Yeah and the UK needs to sort out Suez.

      No, I suspect those days are over ...

    2. Dog11

      Re: Pity

      make nuclear weapons obsolete, so that the United States can have something better, with which to effect regime change in Russia and China

      We badly need to effect regime change in the United States and the UK, too.

    3. Anonymous Coward
      Anonymous Coward

      Re: Pity

      No I don't think it is. Leaking it sure is. But just posessing it? Well that's just careless of the government to have lost control of custody of it.

  7. Aodhhan

    Why do people read something which was never stated.

    No government classified information was stolen or leaked in any of these instances.

    Don't assume, and don't read into things. Sensitive contractor information does not mean it's government classified information.

    No security is fool proof. If you believe the security you put up can never be breached, then it's time to find another job.

    InfoSec is mostly about MITIGATING threats, because you can never eliminate all of them. Even if you air gap your system.

    Legacy laptops, shadow ware, poor user habits, etc. can always find their way onto a system. Providing a means for attackers to penetrate a network.

    1. hayzoos
      Black Helicopters

      Re: Why do people read something which was never stated.

      You are correct in pointing out the article made no mention of classified material.

      Having previously worked for a defense contractor, I can say it was a definite possibility.

      I had said when ransomware first emerged, that it should be considered a data breach. If an outsider had enough control of your systems to encrypt some or all of your data, then you lost control of said data. They could do anything with the data not just encrypt it. They just found another way to monetize their break-in.

      As was alluded to in other comments, trying to secure a system built for frequent business transactions against malicious transactions requires monitoring for and knowing the difference between legitimate and not. You also must be able to block the illegitimate before significant damage can be done. Sometimes this calls for blocking some legitimate. Too much blocking causes pushback and an ordered lowering of security.

    2. Anonymous Coward
      Anonymous Coward

      Re: Why do people read something which was never stated.

      Thanks for the misdirection. You must work for Boeing / Lockheed Legal or PR & Spin department.

      If it was technical then it was ITAR related.

      Which means it's government classified information.

      1. hayzoos

        Re: Why do people read something which was never stated.

        No misdirection. ITAR is not classified. ITAR is International Traffic in Arms Regulations which covers a surprisingly large swath of technology categorized as arms. PGP and other commercially available encryption when PGP was introduced was caught up in being categorized as arms. This resulted in restricted trade internationally, but not classified. ITAR is now not as far reaching as it was, but still sweeps in more than many think it should. Classified information has a whole 'nother realm of restrictions. Many companies in the Defense Industrial Base (DIB) setup specific subsidiaries for work involving classified contracts, it simplifies a lot administratively. These entitys will typically have certain cyber security controls dialed up higher than the average multinational conglomerate in order to be allowed to work with classified information. The feds do not really like to share classified internationally so it is sort of mutually exclusive to ITAR information which is shared, albeit tightly controlled sharing.

    3. Richard 12 Silver badge
      Facepalm

      Re: Why do people read something which was never stated.

      As they clearly got the ones they published, what else did they get, and who have they already sold it to?

      Assume they got everything, because they almost certainly did.

      Assume they did NOT publish all of it, because they'd be really stupid to give the actually "Secret" things away for free.

    4. Anonymous Coward
      Anonymous Coward

      Re: Why do people read something which was never stated.

      > No government classified information was stolen or leaked in any of these instances.

      That is exactly the kind of spin you'd expect if it's overflowing with hidden secrets and they want to dissuade anyone downloading and perusing the secret military weapons documents wow nothing of interest there obvs

  8. BebopWeBop
    Holmes

    have been stolen from an industrial contractor

    have been stolen from an industrial ex-contractor

    TFTFY

    1. Wellyboot Silver badge

      Company name change paperwork in the post...

      1. Doctor Syntax Silver badge

        Waste of time. It might work for a roofing contractor, defence contractors are likely get get checked more closely.

        1. robidy
          Paris Hilton

          You'd hope :)

  9. Anonymous Coward
    Anonymous Coward

    Bounty

    I've heard the bounty for the heads of the DoppelPaymer crew is one of the largest in the last 2 years. Will be great if the video is made public.

    They shouldn't have messed with such rich people.

    1. Anonymous Coward
    2. Alan Brown Silver badge

      Re: Bounty

      "I've heard the bounty for the heads of the DoppelPaymer crew "

      When you start fusking around with military systems there's a good chance there won't be enough left to say you have a head - more like a smear of strawberry jam.

      It's a bit like the ransomware gangs still targetting medical systems at the moment - people are about to start showing up mysteriously dead, having killed themselves with 3 bullets to the head and 2 to the heart

      1. Anonymous Coward
        Anonymous Coward

        Re: Bounty

        Only in America.

        Or the London Underground.

        1. NetBlackOps

          Re: Bounty

          Yep, everywhere else it's a Hellfire missile.

  10. Anonymous Coward
    Anonymous Coward

    Too many on here are giving the "victim" the benefit of the doubt.

    These days, there's a good chance security weaknesses are due to patches not getting installed because "it would stop xyz software running".

    There was a Reg report on the ransomware that crippled Maersk shipping a while back, that concluded that a year after the incident, many companies and organisations hadn't patched their software vulnerabilities because it would break legacy enterprise applications.

    Yes, there's a (potentially significant) cost penalty, but where this is the root cause, why should they not be held liable? If they can afford the cost of loss of business and reputation (possibly fatal), how come they can't afford the cost of keeping their systems up to date?

    If it was your bank that failed and cited that excuse, would you give them a free pass?

    1. Charles 9

      If attempting to update their systems stops them stone cold dead, they're just as screwed. Moreso because this WILL kill you, whereas a security breach only MAY kill you. Against those two choices, guess what happens?

      PS. And no, changing the software may not be an option as the designer of the software likely no longer exists, and trying to start from scratch again leaves you stone cold dead.

      1. Anonymous Coward
        Anonymous Coward

        That sounds like appeasement.

        Security mitigation isn't something that happens overnight - it takes concerted action at the top of the organisation. If they're willing to overlook their responsibility, that can only be negligence.

        Why should they get a free pass when other companies don't succumb to the same attack?

        1. Charles 9

          All they'll say is that those who haven't been breached simply haven't been hit as hard or didn't have inside help. In a world like this, it's hard to pick out the complicit from the simply incompetent, and experience isn't a good guide here.

      2. Anonymous Coward
        Anonymous Coward

        https://www.theregister.co.uk/2020/04/05/new_jersey_cobol_volunteers_mainframes/

        40 year old systems ?!?

        That's known as "being led by donkeys".

  11. Javc
    Mushroom

    Attacking weapons makers might not be the best idea

    Maybe one of the victims of this crime will make an example of DoppelPaymer. See icon...

  12. Anonymous Coward
    Anonymous Coward

    I can't really say I feel sorry for Lockheed Martin.. They have a history of thuggery themselves (bribing at the highest levels of the Dutch government for example): https://en.wikipedia.org/wiki/Lockheed_bribery_scandals . No love here for the Military Industrial Complex in general anyway.

    SpaceX's work I really do applaud though and I'm sad they were hit by this.

  13. cb7

    Ffs Microshit, sort this out already.

    1. How hard can it be allow a user to only allow apps they recognise to create/modify/delete files in standard user folders (Desktop, Documents, Downloads, Music, Pictures, Videos)?

    2. Disable VB script by default, allowing users to turn it on on a case by case basis

    3. Granted, any user daft enough to enable macros when opening a random file deserves what they get.

    I reckon that should prevent most if not all ransomware dead in its tracks?

    1. Charles 9

      Ever heard of click fatigue? IOW, never blame the user (who to Microsoft is the customer).

      1. cb7

        Yes I know most end point infections are the result of user error, but that's exactly why it's Microsoft's job to make a secure operating system.

        Allowing random snippets of code carte blanche access to user files is not my idea of a secure operating environment.

        Fewer infections leads to less money for the criminals which leads to even fewer infections till it basically becomes a worthless endeavour for the criminally minded.

        1. Charles 9

          "Yes I know most end point infections are the result of user error, but that's exactly why it's Microsoft's job to make a secure operating system."

          But as the saying goes, you can't fix stupid. You can't save the user from himself. If the user wants a system they can get under the good, either Microsoft delivers to the user's satisfaction or the user takes his/her money elsewhere, leaving Microsoft in the lurch. See the problem?

          IOW, if Windows throws up a warning that says, "Potentially dangerous attachment," and the user opens it anyway, then blames Microsoft for letting them get infected, what else can you do?

  14. Unicornpiss
    Black Helicopters

    International crime

    Well, now that military data has been stolen and distributed, whoever is running the scam can add espionage and possibly treason to the charges they will face, possibly even terrorism, which may be enough to allow international cooperation that didn't exist before, and extradition. Congrats guys, you've graduated to the big leagues. I'm sure there's a cell at Guantanamo with your name on it and a plausible explanation as to why you just disappeared..

    1. Charles 9

      Re: International crime

      Unless they have protection from a hostile power...preferably one with nukes...

      1. Alan Brown Silver badge

        Re: International crime

        "Unless they have protection from a hostile power...preferably one with nukes..."

        That protection will last as long as it takes to show they've been targetting medical facilities as well as miliitary ones.

    2. Anonymous Coward
      Anonymous Coward

      Re: International crime

      "which may be enough to allow international cooperation"

      LOL - you don't appear to have realised that 'King Trump is trying to start wars with anyone who will take him on. The may be trade wars - but they are still wars, as they are designed to inflict casualties.

      When you attack so-called allies, don't be surprised if they don't have your back.

  15. oldfartuk

    What baffles me is why someonelike Lookheed doesnt just emply some more hackers to fight thes scum back. The website they dump the docs on for example, is an obvious target. This is war ,surely.Put out a ransom dead or alive on the entire mob, $100,000 a head, somone will soon grass them up.

    1. Anonymous Coward
      Anonymous Coward

      The ethics and legal counsel of such businesses can't get over the ramifications of hacker employees potential going rogue. The companies could lose their crown jewels.

      Governments, on the other hand, have no such qualms - it's only tax payers money after all :/

      1. Charles 9

        But what about THEIR crown jewels? Aren't they afraid of them being hacked and sold to a hostile power?

  16. swm

    Back to paper documents

    Maybe we should just go back to paper documents prepared on a typewriter. Number the copies (if any) and do not allow copying (no copying machines in the secure area). This would require a physical breach to compromise.

  17. CommanderGalaxian

    Ransomware scumbags are indeed scumbags.

    Exactly why contractors who are supposed to operate at Top-Secret level able to be hacked by some smelly teen in his mum's basement, is he real question that needs asking,

    1. Anonymous Coward
      Anonymous Coward

      Money.

      And no accountability at executive level.

      Same as it's always been.

  18. Twanky

    Look on the bright side

    From the article: When the company failed to pay the ransom by their March deadline, the gang – which tends to demand hundreds of thousands to millions of dollars to restore encrypted files – uploaded a selection of the documents to a website that remains online and publicly accessible.

    At least Visser got some of the information back - and they didn't have to pay.

    More seriously: They also got a clue as to how long the bad guys had been in their system; long enough to steal the data before encrypting it in place. At least, I hope they reacted and didn't allow the encrypted data to leave their system after the ransom demand. If I was running a ransomware racket, I'd want to take a close look at any data that the target was prepared to pay to get back.

  19. HammerOn1024

    So when...

    Are we going to stop coddling these fiends? Look, find them, do not arrest them. Put a TOW through their front door, douse the remains in kerosene and set it alight. Shoot anyone who comes out.

    It's time to treat these people no better than 17th century pirates; kill them on sight.

    1. Unicornpiss
      Alert

      Re: So when...

      That seems a bit drastic for a situation where no one was physically harmed, though I wouldn't shed too many tears if this became the policy. Might want to see if there are innocent family members present, and probably not a great idea if your (presumably properly investigated, tried, and convicted) suspect lives in an an apartment block..

      1. Anonymous Coward
        Anonymous Coward

        Re: So when...

        Doesn't normally stop the SWAT teams.

        Shoot first, ask questions of the dead later, seems to be their policy.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like