While it was likely not something that created a serious threat to national security, a data breach of a contractor to United Kingdom military bases has once again put a spotlight on supply chain and vendor issues in cyber defense.
Zaun, a manufacturer of mesh fencing used to secure the perimeters of certain UK military bases and airports (among other clients), disclosed that they were hit by Lockbit last week. The company says that it was able to fend off the group’s ransomware, but that some non-confidential information about its products and clients was exfiltrated.
The incident raised alarms for several reasons. One was that Zaun first reported that no client information was taken, before updating that assessment to disclose that information about military bases was stolen. Another is that the data breach was due to a Windows 7 PC in its facilities that was somehow internet-accessible.
Contractor says August breach did not expose sensitive secrets of military bases
Some of the stolen information has emerged on Lockbit’s data leak site, and it does appear to contain information from several research and military bases in the UK. But Zaun insists that nothing is compromising, as the firm does not handle a level of classification that would include military secrets and the fences it installs are also available (complete with specs) to the general public.
Without a successful install of ransomware and no particularly sensitive information stolen, Lockbit may have struck out on this particular data breach. It would appear that Zaun has already refused payment at least once given that data was leaked. Though still very active and a serious threat, the group has reportedly been limping along lately as it loses affiliates and staff to other ransomware gangs.
This is probably especially frustrating to Lockbit given that they came across a Windows 7 system in the wild. While it is far from uncommon for specialized equipment to be controlled by outdated versions of Windows that cannot be updated, these systems are generally disconnected from the internet unless absolutely necessary and under special and continual security monitoring if they are.
Data breach exposed emails, purchase orders, but possibly nothing sensitive
The data breach disclosure came at the beginning of September, but the incident appears to have taken place toward the beginning of August. The machine that was compromised might have last had security updates in January of this year, if the contractor purchased a Professional or Enterprise license for it; otherwise its last update would have been in early 2020.
It remains unclear whether or not the Windows 7 PC was connected to the company network. Zaun says that it believes the stolen data (about 10 GB worth) was all stored locally on the PC, but there is a “risk” other network data was accessed. Given that emails were reportedly stolen, and given that the data breach assessment has already been revised at least once, it seems prudent to assume it was in fact connected to the company network.
Zaun has involved the appropriate authorities given that military bases are involved, with the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC) nwo investigating.