The Sol Oriens, one provider of technology and services for the development of nuclear weapons for the United States Army is the most new victim of cybercriminal group REvil, responsible for the ransomware that hit Colonial Pipeline and JBS later this month. Now, the group claims to have stolen data from Sol Oriens and is auctioning it off on its dark web page.
According to BleepingComputer, which had access to this page on the dark web, one of the companies listed in the group’s stolen data auction is Sol Oriens, which describes itself as “small technology consultancy with strong potential for military and space applications […] We help the Department of Defense and the Department of Energy Organizations, Aerospace Contractors and Technology Firms carry out complex programs.”
As evidence, the group published a screenshot of a stolen company document, containing employee hire data, with pay information and a salary report. However, the group claims to have more company document, with data involving businesses and customers, in addition to the social security number of employees.
In response to a request for comment from CNBC, Sol Oriens confirmed that in May of this year it identified a cyber attack on its network. and who is still investigating the case. The company’s testimony was posted by journalist Eamon Javers on Twitter, who says: “We have recently determined that an unauthorized individual has acquired certain documents from our systems.”
The company also said it is working with a third-party company specializing in computer forensics to investigate the case. “Once the investigation is completed, we are committed to notify the individuals and entities whose information is involved”, concludes the company in the statement, conveyed by Javers.
The REvil group
Andrew Brandt, information security researcher at Sophos, responsible for the study “Relentless REvil, revealed: RaaS as variable as the criminals who use it”, explains that the REvil, also known as Sodinokibi, is a cybercriminal group, probably of Russian origin, developer of the ransomware of the same name, which operates on the model Ransomware as a Service (RaaS), that is, it develops the malware and leases it to other cybercriminals and the proceeds from the ransom are split between both parties.
“For a common ransomware that has been around for a few years, REvil/Sodinokibi manages to do considerable damage and demand ransom payments of millions of dollars. Its success is due, in part, to the fact that, like a ransomware-as-a-service offering, each attack is different. This makes it difficult for advocates to know the warning signs to watch out for,” explains the researcher in a press release.
For Brandt, cybercriminals who choose to work with malware developed by the REvil group can be very active and persistent. “In a recent REvil attack investigated by Sophos, data collected from a compromised server showed approximately 35,000 failed login attempts occurring within a five-minute period., originating from 349 different IP addresses, spread all over the world”, he explains.
The REvil group has been causing terror to the corporate market since it was first identified. In March of this year, the group was responsible for the ransomware that hit the American manufacturer of sound equipment, Bose.
In April of this year it was the turn of the Gigaset, a German smartphone maker and of the Quanta, one of the largest notebook assemblers in the world, in addition to Apple’s main partners in assembling Macs.
In March of this year, Acer, the notorious Taiwanese computer and monitor manufacturer, has also been compromised by ransomware developed by REvil.
Only in June, which has not even ended, the group was reported as responsible for the attacks on Colonial Pipeline, which earned US$ 5 million (about R$ 25 million from the company) as payment for the ransom of encrypted data and more recently the JBS, which is headquartered in São Paulo (SP) and also took the rescue, generating U$11 million for cybercriminals.
Sources: BleepingComputer; Sol Oriens (LinkedIn); Eamon Javers; sophos; TheHack.