Maze Ransomware Gang Hits Defense Contractor ST EngineeringNuclear Missile Support Firm Westech Also Attacked By Gang
The prolific Maze ransomware gang has been tied to yet more attacks, including against Singapore-based defense contractor ST Engineering. The firm has confirmed that its North American subsidiary, VT San Antonio Aerospace, was successfully attacked by the crypto-locking malware gang, although divulged no timeline for when the attack occurred.
In a statement posted Sunday and shared via email with Information Security Media Group, Ed Onwe, vice president and general manager of VT San Antonio Aerospace, says Maze gained entry to its network, and that the attack successfully encrypted a number of systems.
ST Engineering is a global aerospace, maritime, smart city and defense contractor with about 23,000 employees worldwide.
The company did not state exactly when the attack took place or how much damage was done.
"Upon discovering the incident, the company says it took immediate action, including disconnecting certain systems from the network, retaining third-party forensic advisors to help investigate and notifying appropriate law enforcement authorities," according to VT San Antonio Aerospace.
The company also has begun informing any potentially affected customers and is continuing to conduct an investigation into the incident.
But ST Engineering says the attack has been mitigated. "At this point, our ongoing investigation indicates that the threat has been contained and we believe it to be isolated to a limited number of ST Engineering's U.S. commercial operations," Onwe says. "Currently, our business continues to be operational."
Stolen Data Gets Leaked
Already, however, samples of stolen data have been published to Maze's dedicated data-leaking site, security research firm Cyble reported on Friday.
Cyble's warning that Maze is leaking data stolen from the firm have been confirmed by Brett Callow, a threat analyst with Emsisoft. He says that Maze claims to have stolen about 1.5 TB of data from ST Engineering, and to have begun leaking the data to its dedicated, Tor-based leak site to try and force the victim to meet attackers' ransom demand.
"The problem in these cases is that it's impossible to say what information the actors may have obtained," Callow tells ISMG. "All we know is what they've posted so far, and they don't typically start by posting the 'crown jewels' as that would less companies' incentive to pay to prevent the remaining data being published."
Westech Also Attacked
The VT San Antonio Aerospace breach is not the only Maze attack that's recently come to light.
Last week, a spokesperson for defense sector firm Westech confirmed to Sky News that the company's internal information systems were attacked and that some files and data were encrypted by Maze ransomware.
Westech International has a broad presence in the U.S. defense infrastructure. In addition to supplying engineering support and maintenance to the country's arsenal of Minuteman III ICBMs, the company delivers similar services to several U.S. Air Force bases and the Army's Intelligence Electronic Warfare Test Directorate and works with the Department of Energy. The Albuquerque, New Mexico-based company's website says it has about 150 employees.
The Westech spokesperson also told Sky News that once the breach was spotted, the company moved to contain the issue. The company has brought in an outside computer forensic firm to investigate the attack.
A Westech representative did not immediately reply to a request for comment.
Maze's Extortion Tactics
In late 2019, Maze led a major transformation of ransomware gangs' tactics when it began exfiltrating data from its victims and then threatening to make the data public if a ransom didn't get paid. At least a dozen other gangs quickly adopted the same extortion tactics.
Such shakedown efforts continue. In May, for example, Maze started releasing payment card data from an attack earlier this year at Banco BCR, the state-owned Bank of Costa Rica (see: Ransomware Gang Posting Financial Details From Bank Attack).
In addition, the operators of Maze also now appear to be helping other cybercriminal gangs post and auction off their own stolen data (see: Maze Promotes Other Gang's Stolen Data On Its Darknet Site).