Hacker working dark room showing ransomware gang stole military documents

Russian Ransomware Gang ALPHV/BlackCat Resurfaces with 300GB of Stolen US Military Documents

The infamous Russian ransomware gang ALPHV/BlackCat claims it stole troves of military documents from a Pentagon contractor.

The alleged data breach impacted Virginia-based IT services firm Technica Corporation, which the prolific ransomware gang claims has access to top-secret documents from US intelligence agencies. Technica claims it supports the Federal Government and its mission “to defend and protect America’s citizens.”

The alleged data breach impacted entities such as the FBI and the Defense Counterintelligence and Security Agency (DCSA), which is responsible for conducting background investigations and insider threat analyses.

When contacted, DCSA said it was aware of the alleged data breach and was working with relevant law enforcement agencies to address the issue.

ALPHV/BlackCat ransomware gang threatens to publish U.S. military documents

The ALPHV/BlackCat ransomware group has threatened to publish and sell 300 GB of stolen military documents unless Technica Corporation gets in touch.

“If Technica does not contact us soon, the data will either be sold or made public,” the ransomware gang threatened.

However, there is no guarantee that the ransomware gang would not pass the military documents to adversaries even after the military contractor pays the ransom.

The BlackCat ransomware gang also posted screenshots of the leaked military documents as proof, displaying the victims’ names, social security numbers, job roles and locations, and clearance levels. Other military documents include corporate information such as billing invoices and contracts for private companies and federal agencies such as the FBI and the US Air Force.

So far, the motive of the cyber attack remains unknown, but it’s common for threat actors to feign financial motives to conceal their true geopolitical objectives.

While the leaked military documents may not classified, they still contain crucial personal information that state-linked threat actors could use for targeting.

“This situation demonstrates the critical need for cybersecurity measures and inter-agency coordination to protect sensitive information,” said Mark B. Cooper, President & Founder of PKI Solutions. “It highlights the importance of managing the security posture for each of the core services that manage sensitive information like identity and encryption through real-time tools for configuration and threats.”

ALPHV/BlackCat ransomware gang resurfaces

ALPHV/BlackCat cyber gang is a ransomware-as-a-service (RaaS) operation that splits the proceeds of crime with its affiliates, who use its infrastructure to launch attacks.

First detected in November 2021, the BlackCat ransomware group is linked to FIN7 and the DarkSide hacking group responsible for the Colonial Pipeline ransomware attack.

By September 2023, ALPHV/BlackCat had compromised over 1,000 entities, including critical infrastructure organizations, demanded over $500 million, and received over $300 million in ransom payments.

The U.S. Department of Justice says that ALPHV/BlackCat ransomware attacks have resulted in hundreds of millions of dollars in losses and the destruction and theft of proprietary data.

In December 2023, ALPHV/BlackCat ransomware was the subject of a law enforcement action that resulted in the seizure of its infrastructure. The FBI used a confidential human source to infiltrate the gang after offering rewards of up to $10 million for crucial information related to hacking groups targeting US critical infrastructure.

The FBI used the access to collect 946 keys used for hosting various communication channels, data leak sites, and affiliate panels. Subsequently, the federal law enforcement agency provided a free decryption tool to over 400 organizations victimized by the BlackCat cyber gang, including schools, healthcare, emergency services, and critical manufacturers.

“In disrupting the BlackCat ransomware group, the Justice Department has once again hacked the hackers,” said Deputy Attorney General Lisa Monaco. “We will continue to prioritize disruptions and place victims at the center of our strategy to dismantle the ecosystem fueling cybercrime.”

A day later, the ransomware gang claimed it had “unseized” its servers and resumed attacks, including on sectors previously declared off-limits.

BlackCat also announced it would allow affiliates to keep 90% of the ransoms paid. The offer was a desperate attempt to prevent affiliates from migrating to other RaaS operations after the FBI takeover.

However, rival gang LockBit ransomware capitalized on the opportunity and invited BlackCat ransomware developers to join the “stronger infrastructure” and continue with their software development work.

The alleged data breach, if confirmed, would mark the return of the ALPHV/BlackCat ransomware gang.