June 11, 2020

Last week Sky News reported that hackers had stolen data from nuclear missile contractor Westech International’s computer network. Using MAZE ransomware, hackers encrypted Westech’s machines and pressured the company to pay up or see their materials published online. At present, it is clear that the hackers were able to access sensitive employee information. What is not known is whether the hackers were able to access the company’s military classified information. As the Sky News article notes:

The information exposed in these incidents could potentially be of interest to other nation states and present a risk to both national security and to the safety of service personnel.

Given the potential damage attacks like these can cause, it is important for U.S. defense companies of all sizes to reconsider how they protect their important information. How can they protect the information they share not only internally but also with their contractors upstream and suppliers downstream?

Westech International – the missile supply chain under assault

Westech International is a subcontractor for one of the largest prime contractors in the country, Northrup Grumman. Westech provides support for the Minuteman III intercontinental ballistic missile, which is the land-based component of the US nuclear deterrent. Each missile has the potential to travel farther than 6,000 miles, about one quarter of the earth’s circumference.

While it is unclear which of Westech’s files the attackers got access to, files already released indicate the hackers had access to such sensitive information such as email and payroll. Even if Westech pays the ransom, there’s no guarantee that the criminals will destroy the stolen data, especially if it has a high market value. They’re no longer in control of the damage.

Vulnerability of the DIB

The Maze attack is only the most recent high-visibility attack. Just last spring, Visser Precision, a supplier to major defense contractors and Lockheed Martin, was attacked with Doppel Paymer ransomware. Last fall, Airbus was attacked by Chinese hacking group Avivore. Avivore compromised Airbus by going after its downstream suppliers such as engine-supplier Rolls-Royce and tech consultancy Expleo.

These attacks follow a well-known narrative that attackers will go after subcontractors several levels down – rather than the prime contractor itself. The CMMC was designed in recognition of these attacks and in an effort to improve cybersecurity standards of primes and their subs. Katie Arrington, who leads the CMMC initiative, noted several months ago:

Adversaries aren’t going after a Lockheed Martin, at the top prime level, they’re going after the small business, that [Small Business Innovation Research awardee], that [other transaction authority firm] that’s the most vulnerable.

How to protect sensitive data

Technology providers’ standard solutions are maintaining off-site back-ups, patching. and using secure passwords to fight off ransomware. None of these approaches offer any protection against attackers who have breached the server. Once they breach the server, they have your data. As is well known in the tech community, it’s not a matter of if you will be hacked. It is only a matter of when and attackers can always get in.

Westech and Visser had data exposed because attackers were able to access and hijack their cloud environment. They should have instead ensured that even if attackers are able to access the data, they are never able to decrypt it and read it.

A system like PreVeil’s follows this model. By using end-to-end encryption to protect user email and files, PreVeil secures data so that it is only ever read by the sender and recipient and no one else. End-to-end encryption ensures data is only decrypted on the endpoints. Never in the cloud.Hackers trying to access data through the server will only see scrambled, non-sensible information.

Moreover, end-to-end encryption protects users’ identity by creating a private key which is stored on their device. This key is established at the time of account creation and, unlike a password, cannot be guessed or spoofed. A hacker cannot access an email or file that has not been shared with their account.

The Solution

Doing a better job at protecting our country’s sensitive missile defense systems starts with using better systems for protecting that information. We urge contractors to consider using end-to-end encryption to protect data on their platforms.

PreVeil supplies many aerospace and defense industry contractors with its end-to-end encrypted solution – a secure, cloud-based platform that provides encrypted email and file sharing protected by end-to-end encryption. With PreVeil, large tier prime contractors and smaller suppliers alike can confidently exchange their IP.

Learn more about how PreVeil can help your A&D company protect its IP. Contact our sales team.

[gravityform id=”11″ title=”false” description=”false” ]

Author

Orlee Berlove, reviewed by Noël Vestal, PMP, CMMC RP

Noël Vestal is a CMMC Certified Professional and CMMC RP with over 15 years in DoD IT program management. She implemented the NIST 800-171/CMMC Level 2 compliance program for an OSC member of the DIB. She has her Master of Science (M.S.) in Information Technology and holds certifications from the CMMC Accreditation Body (CMMC AB) as a CMMC Certified Professional (CCP), CMMC Registered Practitioner (RP), CMMI Associate, and holds additional certifications including, Project Management Professional (PMP), and CompTIA’s Security + certification.

Orlee Berlove has been a marketing leader for over 25 years, and is currently the Senior Director of Marketing at PreVeil. She has her Masters of Engineering, Operations Research and her Bachelor of Arts from Cornell University.