UK Ministry Of Defence Documents Leaked After Supplier Hack

A British high-security fencing supplier, Zaun Ltd, has confirmed a “sophisticated cyber-attack,” that apparently compromised data belonging to the UK’s Ministry of Defence (MoD).

Wolverhampton-based Zaun confirmed that on 5 and 6th August it was “subjected to a sophisticated cyber-attack on our IT Network by the LockBit Ransom group.”

Zaun is a specialist supplier of fencing solutions to many high-profile sites including MoD locations. As a result of the Zaun attack, LockBit has reportedly published thousands of stolen pages of sensitive information belonging to MoD.

Zaun breach

Zaun in its statement said that its own cyber security had prevented the server from being encrypted by the ransomware attacks. It said that West Midlands Regional Cyber Crime Unit are aware of the attack.

Zaun said that while its network was up-to-date, “the breach occurred through a rogue Windows 7 PC that was running software for one of our manufacturing machines,” Zaun stated. The firm then removed the offending machine and the vulnerability closed.

“At the time of the attack, we believed that our cyber-security software had thwarted any transfer of data,” it added. “However, we can now confirm that during the attack LockBit managed to download some data, possibly limited to the vulnerable PC but with a risk that some data on the server was accessed. It is believed that this is 10GB of data, 0.74 percent of our stored data.”

“We are aware of an attack upon our servers by the Lockbit Ransom group at the beginning of August,” the firm stated in a separate statement. “Our cyber-security systems closed the attack before they could encrypt any files on the server. However, it has become apparent that LockBit was able to download some data from our system which has now been published on the Dark Web.

It said that LockBit will have potentially gained access to some historic emails, orders, drawings and project files, but it does not believe that any classified documents were stored on the system or have been compromised.

The National Cyber Security Centre (NCSC) has been contacted and the firm is taking their advice on this matter.

The ICO has been contacted as well.

MoD data

Unfortunately, the Mirror reported that LockBit has published on the dark web thousands of pages of MoD data concerning the HMNB Clyde nuclear submarine base, the Porton Down chemical weapon lab and a GCHQ listening post.

According to the Mirror, the leaked documents reportedly include details of equipment used at GCHQ’s satellite ground station and network monitoring site in Bude, Cornwall.

Cawdor Barracks in South Wales, which is currently housing the 14th Signal Regiment of electronic warfare specialists also saw data breached.

RAF Waddington in Lincolnshire, home to Reaper drones used in Afghanistan and Syria, also reportedly lost sensitive documents.

Detailed drawings for perimeter fencing at Cawdor and a map highlighting installations of the site are among the leaked papers, the Mirror reported.

LockBit ransomware

LockBit are one of the most active ransomware gangs in the world and is linked to Russia.

The United States this year offered $10m for information leading to the arrest of Russian national and key suspect Mikhail Matveev.

Matveev reportedly lives in the Russian enclave of Kaliningrad and regularly visits the Russian city of St. Petersburg.

Asked for comment by CNN at the time, Matveev replied with a video with a Russian man repeating the phrase, “I don’t give a f*** at all.”

LockBit has previously claimed responsibility for the ransomware attack on the Royal Mail earlier this year, and said it would publish stolen data if a ransom was not paid.

The Royal Mail refused to pay the ransom.

Previous LockBit victims also include TSMC, the world’s biggest chipmaker, and healthcare tech company Varian Medical Systems.

Access controls

The release of the MoD data prompted Mark Semenenko, director of solutions architecture at data security specialist Immuta to highlight the need for ABAC (attribute-based access control) which enables purpose-based access to data to limit the risk of human error data breaches.

“When a data breach occurs, such as the most recent case with the UK Ministry of Defence, it typically causes a knee-jerk reaction and prompts the impacted organisation to heavily restrict the data they share externally and internally,” said Semenenko.

“This has huge hidden opportunity costs and debilitates decision making,” said Semenenko. “A more successful strategy is based on the organisation’s approach to access controls when sharing data with third parties.”

By employing fine-grained automated access controls with usage detection, the organisation can still benefit from sharing data but with the confidence that access controls remain accurate, sensitive data is protected and data is only used correctly,” he concluded.

Windows 7

Meanwhile Paul Brucciani, cyber security advisor at WithSecure (previously F-Secure), pointed to the fact that the breach occurred due to a rogue Windows 7 PC, and that Windows 7 support had ended on 14 January 2020.

Brucciani pointed out that Microsoft recommends that customers move to Windows 11, and advised organisations to utilise best practices for implementing a reliable operational technology (OT) protection system.

This includes minimising or removing altogether the connections between OT systems and internet-connected business systems – especially those of suppliers.

“LockBit has already been responsible for some of this year’s biggest cyberattacks as well as the exploitation of the MOVEit vulnerability,” said Brucciani.

“The significance of this attack is that by undermining IT security, it is also possible to undermine the physical security of its customers.”