US nuclear weapon contractor attacked by REvil ransomware

Sol Oriens hit by ransomware back in May: data for sale by the REvil group

REvil hacker group attacks US nuclear weapon contractor

Reports show^[1] that a private US contractor working for the Department of Defense (DoD) and the Department of Energy (DoE) has been hit by ransomware in May 2021. It now came to light that the assailants were a well-known Russian-backed cybercriminals group called REvil.^[2]

The hackers have posted a list of companies whose information they managed to steal and are now about to auction off. Sol Oriens is listed as one of them. Cybercriminals state that they've stolen business (salary information, etc.) and employee (social security numbers, names, addresses, etc.) data.

To prove that they really possess the company's private info, they've posted samples of wages statements, payroll documents, and hiring forms.^[3] Because of the suggested auction, we presume that the breached company did the right thing and disagreed with succumbing to the hacker group's demands to pay a ransom.

In a released statement, the company has claimed that they have no knowledge that client classified or critical security-related information was compromised. However, an ongoing investigation will reveal the magnitude of the cyberattack. The breached company will inform all affected individuals and entities as soon once the investigation concludes.

What is Sol Oriens, and why is this hack significant?

The company is based in Albuquerque, New Mexico, and employs around 50 people.^[4] Although it helps the DoD, Aerospace Contractors, and Technology Firms carry out complex programs, its main contractor is the Department of Energy National Nuclear Security Administration.^[5]

The NNSA is a government agency that's in charge of securing and maintaining the US nuclear weapon stockpile. Therefore the company works with extremely sensitive information, and its employees have various connections across strategic national security entities.

It is not yet known whether the company was attacked because of the work it does and the relations it holds with government agencies or were the cybercriminals just financially motivated saw an opportunity and grabbed it. Either way, ransomware attacks are getting more and more hazardous.

Hacker group chooses high-level targets for their attacks

The REvil group is a ransomware-as-a-service (RaaS) enterprise that infects victim networks with ransomware, a computer virus that locks all non-system files on targeted computers or networks, enabling the criminals to demand ransom payments.

One of the group's peculiarities is that before encrypting all personal files, it first downloads tons of them. It holds the stolen info as leverage until a very large sum in Bitcoins is forwarded into their account. If victims deny paying the assailants, they auction off the stolen company info on the dark website called Happy Blog.

The cybersecurity community first spotted the REvil hackers' activity in April 2019.^[6] Since then, it made the headlines multiple times for attacking and crippling major organizations. During the last two months, the cybercriminals have managed to attack JBS FOODS, the biggest meat processor in the world, and Quanta Computer, a supplier for Apple. The group is reportedly making over $100 million per year and, as many other hacker organizations, is believed to be running from Russia or other CIS countries.