EWA, based in Herndon, Virginia, has 271 employees listed on LinkedIn. As the company's name suggests, EWA's professional services and products involve electronic warfare, cybersecurity and advanced commercial test tool systems . Although the overall scope of the incident was not disclosed, an EWA letter provided a high-level summary of the incident.
The EWA Phishing Incident Disclosure
Among the details:
- A threat actor infiltrated EWA email on August 2, 2021, according to a November 4, 2021 disclosure from the defense contractor.
- EWA discovered the incident when the threat actor attempted wire fraud.
- EWA doesn't believe the hacker was striving to obtain personal information.
- Still, the threat actor’s activities did result in the exfiltration of files with certain personal information -- including name and Social Security Number and/or drivers’ license number, EWA said.
- The contractor worked with outside counsel and a third-party forensics firm to investigate the incident.
- EWA is now offering free fraud detection and identity theft protection through Equifax’s Complete Premier services at no charge for two years.
U.S. Government Supply Chains and Security Awareness Training
The phishing incident is the latest red flag to rise over the U.S. federal government supply chain. Amid continued attacks, the Biden administration and the Department of Defense (DoD) have taken multiple steps to safeguard U.S. government agency supply chains and associated contractors. Key moves include President Biden's executive order on cybersecurity, and the CMMC (Cybersecurity Maturity Model Certification) -- which involves these requirements for contractors, MSPs and MSSPs.
The U.S. government's battle against cyberattacks and phishing extends beyond contractors. For instance, pending legislation -- called the American Cybersecurity Literacy Act -- could require the National Telecommunications and Information Administration (NTIA) to fashion a literacy campaign that raises the American public’s knowledge and awareness of cybersecurity risks.
MSSPs and MSPs, meanwhile, have been rolling out security awareness training services to end-customers. The SaaS-based services typically involve simulated phishing attacks that target unsuspecting customers. Over time, the subscription services typically train users to more effectively spot, avoid and report phishing-related emails and other scams.