Unanswered questions remain about the MoD breach
Who is responsible, and what does it mean for defence procurement?
News of defence contractor Zaun suffering a major cyber breach last month at the hands of the Russian LockBit affiliate group has sent shockwaves through the MoD and the British government.
With thousands of documents containing sensitive site and contract information relating to military sites, secret Government sites, prisons, etc being dumped on the dark web, obvious questions are being asked, such as how secure are our defence establishments?
This is incredibly embarrassing to both the MoD and the government, and highlights again the ever-increasing risk and impact of supply chain breaches. While it is reasonable to assume that primary defence contractors, those that provide weapons systems and the like, are subjected to a high level of InfoSec due diligence, it does bring into question how much is conducted on the plethora of ancillary contractors - such as Zaun, which in this case provides security fencing.
Information about the type of data stolen suggests it relates mostly to physical security controls, which in itself is very useful to a threat actor planning a physical attack of some sort. However, there will also be a wealth of valuable intelligence about people, systems, processes, plans, diagrams, partner contractors etc, which could be useful reconnaissance information not only to criminal threat actors, but also nation state intelligence agencies.
As to who actually did this, the problem here is that LockBit is an RaaS (Ransomware as a Service), which means the culprit could be one of any number of LockBit affiliates, and the true motive unknown.
However, the fact that the attacker(s) have dumped a large amount of data on the internet about a month after taking it suggests this could be just your standard opportunistic ransomware playbook, rather than something more sinister.
If it was purely ransomware, we know the data theft occurred last month, so it's possible Zaun has refused to pay the ransom, or has at least been delaying beyond the threat actor's patience; so as we've often seen recently, Plan-B is to dump all the data onto the internet.
Deny, deny, deny
I'm always sceptical when I see boiler-plate statements such as, "X is a victim of a sophisticated cyber attack and has taken all reasonable measures to mitigate any attack on our systems", because nine times out of ten they actually got in quite easily, and ‘reasonable measures' is somewhat subjective and open to interpretation.
Zaun's statement "LockBit will have potentially gained access to some historic emails, orders, drawings and project files. We do not believe classified documents were stored on the system or have been compromised.", highlights another concern. It's the "we do not believe" bit of that sentence that is concerning, and to me, translates to "we don't completely know what was taken," which brings into question how reasonable those "reasonable measures" actually are.
It is important to note that LockBit itself isn't used to get into a system, but is deployed after the system has already been breached, typically via phishing emails and other tools. It would appear that the threat actors had time to get in, do some lateral movement, have a good snoop around and steal large amounts of data before deploying LockBit. That again begs the question, what were the ‘reasonable measures' doing while all this was going on? This is a defence contractor, remember.
Whether this was an opportunistic hit and run ransomware attack or something more targeted is irrelevant; the fact that the attackers got in, then dumped a load of defence security sensitive data on the internet, has potentially weakened this country's security at a time of raised international tensions, and government ministers should be concerned.
The price procurement problem
While the MoD in particular is continually being pressured to reduce costs and make savings, it is reasonable to argue that procurement decisions, particularly in the ancillary space, could be raising the risk of cyber compromises.
If the decision to choose a particular supplier is weighted heavily on price at the expense of other factors, such as assurance of cyber security, this can lead to the wrong corners being cut.
I'm not saying this is the case with Zaun, but would argue that due to cost, there will be contracts being entered into with companies that do not necessarily have the level of cyber security governance and controls appropriate for defence contracts in the current climate. And with increasingly complex and ever longer supply chains, the MoD probably doesn't have the resources to scrutinise every supplier and validate their sub-suppliers to an appropriate level for the contract type.
This incident involving Zaun is a very loud alarm bell, and I do hope someone in government is listening.
Ian Hill is a cybersecurity professional with more than 25 years' experience. He has previously held senior security roles at companies including KCOM, Royal BAM Group, BGL Insurance and Upp.