- The Washington Times - Thursday, July 8, 2021

The REvil cybergang hit a defense contractor whose customers include the U.S. military in a brash test of President Biden’s tough talk seeking to deter cyberattackers bombarding America.

The Russia-linked REvil claimed it stole 23 gigabytes of data belonging to HX5, a Florida-based defense contractor working on aerospace and weapon launch technology that lists its clients as including the Army, Navy, Air Force, NASA, and General Services Administration. It first published screenshots of some of the allegedly stolen material on a website, “The Happy Blog,” on Wednesday.

Targeting a company with U.S. military customers indicates that cybercriminals have not changed their behavior because of threatened action by the U.S. government and Mr. Biden, according to cybersecurity professionals.

Brett Callow, a threat analyst at the software company Emsisoft, said that ransomware groups have previously targeted defense contractors but REvil was sending a warning as its attack unfolds.

“This is a bit like a kidnapper sending the pinky finger rather than the head,” Mr. Callow said.

Cybersecurity professionals have linked REvil to Russia, although it operates with a business model featuring affiliates who deploy attacks from all across the world.

Mr. Biden has been under pressure to respond to the onslaught of ransomware attacks on the U.S. after he drew a “red line” on cyberattacks at a June 16 summit with Russian President Vladimir Putin.

White House press secretary Jen Psaki said Thursday that the Biden administration would continue to send a “clear message” to Russia about cybercriminals working within its borders. But she refused to say what the U.S. government would do to enforce its ultimatums.

“If the Russian government cannot or will not act against criminal actors residing in Russia, we will act,” Ms. Psaki said. “In terms of what we will do, I’m not in a position, of course, to discuss operations.”

A wave of ransomware attacks has hit U.S. businesses and organizations in recent months, including schools, medical facilities, and companies such as major U.S. fuel provider Colonial Pipeline

REvil is the same group that previously disrupted major meat producer JBS and that hit the software company Kaseya last weekend in a ransomware attack that the company said affected under 1,500 businesses downstream from its customers.

The gang has made its intentions known through posting allegedly stolen information on HX5, which declined to comment on the cyberattack.

Money motivates ransomware attackers who hold data and systems hostage until victims pay up to regain access. REvil has proven to be an innovative cyberattacker that is interested in both burnishing its reputation and pocketing loot, said Reuven Aronashvili, who previously served the Israel Defense Forces and founded the cybersecurity company CYE.

He said REvil’s targeting a defense contractor demonstrates its capability and helps cement its status as a top ransomware attacker.

“They managed to get credibility on their capabilities and no one is not taking them seriously anymore,” Mr. Aronashvili said. “I think that’s part of the process. Now whether that’s connected to a government behind it that conceals the data, buys the data, and so on, that is something that, of course, can be another business model.”

Details about what REvil allegedly took from HX5 and whether the attack affects its U.S. government customers is unclear. The screenshots posted by REvil display alleged personal information of HX5 employees, including a social security number and the personal data included in a life insurance policy for an HX5 executive.  

The Army and Navy declined to comment on the cyberattack hitting HX5 and each referred questions to U.S. Cyber Command, which did not respond to requests for comment. The Air Force did not respond to requests for comment. The General Services Administration said it was not a victim of the REvil attack on Kaseya, but it did not answer questions about REvil hitting HX5. 

NASA said it did not have information about HX5 or the cyber incident but that it continuously coordinates with the Cybersecurity and Infrastructure Security Agency on emerging cyberthreats.

In a March interview with cybersecurity publication The Record, a REvil representative claimed to have access to a ballistic missile launch system, a U.S. Navy cruiser, a nuclear power plant, and a weapons factory. The unidentified REvil representative professed to have the ability to start a war but no intention of doing so because it wouldn’t be profitable.

Mr. Aronashvili cautioned against believing all of REvil’s assertions or discounting them entirely.

“One thing that we can say about them is that they manage to have a lot of credibility in the market and usually when they say that they have something, that’s something that usually they can prove,” he said. “However, when you talk about this kind of high-profile targets sometimes people are bragging a little bit more than they have, so I believe that the truth is somewhere in the middle there.”

• Jeff Mordock contributed to this report.

• Ryan Lovelace can be reached at rlovelace@washingtontimes.com.

Copyright © 2024 The Washington Times, LLC. Click here for reprint permission.

Please read our comment policy before commenting.