Legacy systems strike again, as a Windows 7 computer running at the industrial operation of a UK military contractor was compromised by LockBit. The outfit has confirmed that some information about military bases was stolen in the data breach, but insists that none of it was confidential or highly sensitive.
The contractor, Zaun, designs and manufactures mesh fencing systems used to secure UK military bases and intelligence sites. When it initially disclosed the data breach, it reported that it was able to intervene before anything was stolen. That has since been revised to indicate that some amount of documents, including emails and project files, made it out the door.
Contractor says information taken in data breach is of limited utility
The Wolverhampton-based company made a public disclosure of the data breach on September 1st. The breach, described as “sophisticated,” took place from August 5th into August 6th. Though Zaun walked back its initial claim that no data was stolen, it has confirmed that it was not encrypted by Lockbit’s ransomware.
The technical details are probably the most interesting part of the incident, as the attackers apparently compromised a computer running manufacturing machine software that was still outfitted with Windows 7 (which last received any kind of security updates from Microsoft in January of this year). It is not uncommon for specialized industrial equipment designed to last for decades to have outdated software, but they are also generally air-gapped or at least cut off from the internet-connected portion of the company network.
This did not appear to be the case in this data breach, as Zaun said that it believes the stolen data was limited to that particular PC but that there is a “risk” that data was taken from company servers. Zaun says that about 10 GB of data was stolen, or less than 1% of its total assortment of stored information. It is unknown exactly how much of this stolen data pertained to UK military bases, but the company said that “historic emails,” orders, drawings and project files were accessed.
The Zaun statement notes that it is public knowledge that the company provides fencing to military bases, and that these products are also available for general purchase and physical inspection by anyone (with support and user manuals available for download via the company website). The company thus asserts that the data breach presents no added security risk for any of its clients.
Zaun also stated that the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC) are now involved with the case.
Data dumps reveal information about military bases; contractors still using outdated equipment
Lockbit has since attempted to extort Zaun and subsequently dumped some of the stolen data on the dark web, which does appear to contain information pertaining to UK research, intelligence and military bases that make use of the company’s fences. However, there is not yet a clear indication that anything involved in the data breach is classified or particularly sensitive. Zaun is approved as a contractor for equipment installations at sensitive sites by the Centre for the Protection of National Infrastructure (CPNI), but does not have higher government clearances granted to firms that act specifically as security contractors.
Lockbit had been one of the most active ransomware groups as of late, tallying about 20% of all attacks targeting primarily English-speaking countries in 2022. However, security researchers have noted a distinct drop in data breaches attributed to the group since April of this year. The group is still fairly active, but an early August study by security researcher Jon DiMaggio found that the group grew faster than it was prepared to handle and is struggling with infrastructure issues and leaking stolen data in a timely manner. This has reportedly prompted some of its top technical talent and affiliates to leave for greener pastures, and it is having trouble drumming up replacements.
Outdated legacy equipment in military bases and other secure areas is far from unheard of, though the systems are generally quarantined to as great a degree as possible and monitored continually. Though the standard version of Windows 7 has not seen updates since 2020 (and never will again), estimates by various sources throughout 2023 have put it at anywhere from 3% to 9% of the PC market and some software and services have been slow to winnow lingering customers off of it. Windows 8.1 (which also saw its final security update this past January) has a comparable share, though likely more due to individual users frustrated with the forced update schemes implemented by Windows 10 and 11.
Stephen Gates, Principal Security SME with Horizon3.ai, notes that operating systems from 25 years ago can still be found anywhere from business environments to military bases: “As the cyberthreat landscape continuously changes, manufacturers face a unique set of IT challenges, as well as the real, physical ramifications that impact their bottom lines. Today’s attackers fully understand the disadvantages manufacturers face, especially in terms of their reliance on various computing systems, antiquated operating systems, commercial and custom-built applications, and lots of devices – some new and some incredibly old.
“Many manufacturers likely have some older computers still in use that are running operating systems no longer supported. Although the older computers work just fine for the minimal tasks they perform, they can easily become an enabler of a successful breach,” added Gates.