NASA logo at Kennedy Space Center showing Doppelpaymer ransomware breach of NASA contractor

DoppelPaymer Ransomware Strikes NASA Contractor, 2,583 Servers Held Hostage, Data Leaked

DoppelPaymer ransomware gang published a blog post to congratulate SpaceX and NASA for their first successful human-operated rocket launch. Shortly after, the criminals broke the news that they had infected the network of one of NASA’s IT contractors. The online post said DoppelPaymer ransomware had successfully breached the network of Digital Management Inc. (DMI), a Maryland-based company providing managed IT and cyber security services on demand. Other firms affected by the NASA contractor breach include major Fortune 100 firms that use the firm’s services. The ransomware gang posted 20 archives on the dark web to prove its claims.

Data breached by the DoppelPaymer ransomware gang

Documents released from the breach indicate that DoppelPaymer ransomware accessed a variety of records, including HR documents and project plans from the NASA contractor. The released employees’ details matched those on their profiles on the networking site, LinkedIn.

According to a statement from DMI, “We recently became aware of a data security incident that affected our corporate systems. When we discovered the issue, we immediately took all systems offline, engaged third-party security experts to aid our investigation, and worked to safely restore systems in a manner that protected the security of information on our systems. We are continuing to investigate the incident and we are working to enhance the security of our systems to help prevent this type of incident from occurring in the future.”

DoppelPaymer ransomware operates various online hacking forums where they release samples of compromised data to intimidate the victims into paying the ransom. Failure to pay leads to the release of all files, thus causing the company potentially irreparable damage to the affected organization.

DoppelPaymer ransomware has resorted to tactics employed by another notorious ransomware operator, Maze ransomware, that uses double extortion to force compliance. The affected NASA contractor has not indicated whether ransom negotiations are an option.

REvil (Sodinokibi) ransomware has also begun selling its stolen data instead of leaking it for free when victims refuse to budge. Previous ransomware attacks involved locking the computer users out of the system and holding onto the data if they failed to pay up. However, criminals have become more brutal and will use any means possible to blackmail companies.

Similarly, there is no guarantee that the criminals will release the encryption keys or abstain from selling the data online after receiving the ransom. Thus many companies feel obliged to ignore the ransom demands to avoid rewarding bad behavior or undergoing more losses.

The extent of the cyber attack on NASA contractor

DoppelPaymer ransomware gang published a list of 2,583 servers and workstations they currently hold hostage from the attack. The cybercriminal gang says the devices in question were part of DMI’s internal network. The affected NASA contractor has not released any statement regarding the breach.

Details are sketchy on how DoppelPaymer ransomware managed to successfully carry out such a largescale attack on a reputable NASA contractor. It is, however, very likely the cybergang gained access to the systems by targeting employees working for the affected NASA contractor.

Javvad Malik, Security Awareness Advocate at KnowBe4, says it remains a mystery how DoppelPaymer ransomware succeeded in carrying out such an attack.

“It’s unclear as to how the DoppelPaymer ransomware gang infiltrated DMI, or how far they actually got. However, it raises the important point of ensuring security throughout the supplier and vendor ecosystem. It’s not just enough for organizations to secure their own systems, but they should be conducting due diligence and adequacy checks with all of their partners and suppliers with procedures in place in how to respond to an incident and share information.”

In early April, NASA released a memo informing workers and contractors of a new wave of malware targeting federal employees; warning employees and contractors that cybercriminals were targeting NASA’s electronic devices, networks, and personal devices.

The warning said hackers were targeting the organization hoping to steal sensitive information, spread misinformation, conduct scams, as well as carry distributed denial of service (DDoS) attacks. Unfortunately, NASA’s warning did not prevent the breach from taking place.

Apart from DoppelPaymer ransomware, other threat actors such as Ryuk and Maze ransomware gangs have concerted their efforts to exploit the current COVID-19 crisis to gain unauthorized access to systems.

Concerns over supply chain cyber security

The frequency of successful ransomware attacks against government agencies raises concerns over the security measures adopted by various federal contractors. Another ransomware attack struck a nuclear missiles contractor, Westech International, leaking sensitive information and holding data ransom.

Such contractors form a weak link that cybercriminals exploit to access sensitive information from federal agencies. The largescale attack will probably have dire consequences on the reputation of the NASA contractor.

Chris Clements, VP of Solutions Architecture at Cerberus Sentinel, commented that: “Supply-chain cyberattacks from vendors or business partners can blind-side businesses who haven’t accounted for that potential risk. It’s critical that all organizations perform due diligence on any business partner with access to their data or network.”

He adds that organizations can mitigate such situations by having contractual agreement on data safety measures.

“Effective management strategies can include implementing contractual requirements that all vendors or contractors follow information security best practices and are themselves regularly tested to confirm that no security issues that could threaten the organization are present.”

Accounting for possible disruption of business partners should also be part of risk management. These practices should include safeguards and controls to ensure partners access is segmented from the main IT environment to reduce the potential damage from breaches involving business partners according to Clements.