Content, Breach

Hackers Breach IT Consultant’s Network to Steal NASA Data

The DopplePaymer cyber extortionists have breached the network of an IT consulting firm for the U.S. National Aeronautics and Space Administration (NASA), the hackers said in a dark web blog post.

There’s some irony in the heist against Digital Management Inc. (DMI), a Maryland-based contractor, whose customer list includes government agencies in addition to NASA and a host of Fortune 100 companies. According to a ZDNet report, shortly before revealing that it had breached DMI’s walls, DopplePaymer congratulated NASA and Space X with "successful launch . But as for NASA, their partners again don’t care about the data…”

At this point, it’s not clear how far into DMI’s network the hackers progressed. DopplePaymer also claimed to have addled 2,583 servers and workstations. As proof of entry, DopplePaymer posted 20 archive files the gang claimed to have pilfered from DMI’s infrastructure, including human resource files and project plans, the ZDNet report said.

DopplePaymer is one of several ransomware gangs that publishes sensitive materials from hacked companies to threatens victims with selling their data on dark web forums. Less than a month ago, the REvil (Sodinokibi) hacking group published dozens of emails online of what it called President Trump’s “dirty laundry,” that turned out to be a dud seemingly of no consequence. The syndicate has since said it sold a second round of Trump-related emails on the dark web. And, earlier this week the REvil crooks announced on the dark web Happy Blog that they will auction off stolen files taken from a Canadian agricultural production company that REvil says has so far declined its extortion demands.

A clue as to how far DopplePaymer may have marched into DMI’s network or if they broke in at all came from the files DopplePaymer posted with designs for military equipment from Lockheed-Martin and some documents relating to SpaceX’s manufacturing partner program. Three months ago, Dopplepaymer pulled off a breach and ransomware attack on Visser, a precision parts supplier to aerospace and automotive corporations such as Lockheed, Tesla, SpaceX and Boeing. At the time, Adam Laub, Stealthbits chief marketing officer, said that the “scary thing” about ransomware variants such as DopplePaymer wasn’t extortion threats from exfiltrating data but it needed only “read”-level access to copy files. “DopplePaymer doesn’t need to go to the same lengths as other variants to compromise entire systems and gain administrative rights,” he said. “DopplePaymer can exploit the over-permissive access rights that virtually every user has to steal data over months or even years undetected."

DMI has yet to comment on the report. However, the MSSP would not be the first nor the last third-party cybersecurity supplier to see its network breached as a door into a larger prize. The FBI and U.S. Department of Homeland Security (DHS) have repeatedly warned MSSPs, MSPs, CSPs and their technology platform providers to lock down their systems and data. In a network traffic report released early this year, cybersecurity solution provider Dark Cubed said MSPs increasingly face a “deliberate, systematic and ever-increasing barrage of attacks launched … by malicious actors and criminal organizations.”

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.