Australian-based American defense contractor Austal USA has confirmed a cyber attack after the Hunters International ransomware group listed the company and shared samples of the stolen data as proof.
Austal USA is a Contractor for the US Department of Defense (DOD) and the Department of Homeland Security (DHS), undertaking major U.S. Navy shipbuilding programs.
With five shipyards in four countries and a workforce of 4,300, Austal produces various sea vessels, including offshore patrol cutters, landing craft, floating docks, combat ships, autonomous boats, and submarine components. The company reported $1.585 billion after delivering nine ships in 2023, with another 40 scheduled or under construction.
The Hunters International ransomware group has threatened to leak 43 files containing 87.2MB of sensitive data from the American shipbuilder.
Austal’s cyber attack had no impact on the defense contractor’s operations
Claiming there was “no impact on operations,” the defense contractor said it quickly remediated the cyber attack, launched an investigation, and notified regulatory and law enforcement authorities.
“Regulatory authorities, including the Federal Bureau of Investigation (FBI) and Naval Criminal Investigative Service (NCIS) were promptly informed and remain involved in investigating the cause of the situation and the extent of information that was accessed.”
The defense contractor found no indication that the threat actor accessed any personal or classified information from its systems.
“Not many companies get to say that,” said Roger Grimes, a Data-Driven Defense Evangelist at KnowBe4. “I hope Austal shares how they were able to stay up operationally, without impact, in light of the fact that they were successfully compromised by a ransomware group known to encrypt data.”
Nevertheless, Hunters International has threatened to publish sensitive data, including financial details, recruitment information, compliance documents, and engineering data.
Even if classified data was likely not compromised, the cyber attack would raise eyebrows in the Pentagon and Washington D.C., potentially undermining the defense contractor’s trust. However, the shipbuilder is taking full responsibility for the cyber attack.
“Austal USA recognizes the seriousness of this event and the special responsibility we have as a DoD and DHS contractor. Our assessment is on-going as we seek to fully understand this incident so that we can prevent a similar occurrence,” said the company.
Austal has not disclosed the attack vector exploited by the Hunters International ransomware.
“The response from Austal doesn’t say how the attack happened,” said Grimes. “Was it social engineering, unpatched software or firmware, or a password attack? It would be nice to know that so Austal could confirm they had taken the appropriate steps to prevent it from happening again.”
This is the second cyber attack impacting the US defense contractor within five years. In October 2018, Austal USA suffered a ransomware attack after hackers obtained compromised login credentials from the dark web.
Similarly, Austal is hardly the first defense contractor to suffer a devastating cyber attack in 2023. In April, shipbuilder Fincantieri Marinette Marine suffered a ransomware attack that impacted production.
About Hunters International ransomware group
Hunters International is a ransomware-as-a-service (RaaS) operation that employs double extortion to pressure victims into paying ransom.
The cybergang demands a ransom for the decryption key after encrypting data and threatens to leak stolen information if the victim refuses to pay for the decryptor.
Despite the group’s denial, cybersecurity analysts believe the ransomware gang is a rebrand of the defunct Hive ransomware based on source code similarities.
Hive’s operations were disrupted after the FBI seized its European servers and generated 300 decryption keys for the active victims and another 1,000 for the previous victims, denying the group $130 million in ransom.
Unlike Hive ransomware, Hunters International has been moderately successful, listing a dozen organizations from various countries on its ‘.onion’ data leak site.
