Elon Musk is in the news once again, but this time as the victim of a crime. The LockBit ransomware group claims that it was able to penetrate SpaceX via a third party vendor, and is holding design documents that it is threatening to sell to the aerospace pioneer’s competitors.
Texas-based Maximum Industries, a third party vendor that does laser cutting for the manufacturing industry, is the direct victim of the LockBit ransomware attack. But the gang says that it obtained some 3,000 SpaceX engineering drawings from the caper, leaking several of the documents as proof of its claims along with a signed non-disclosure agreement. It is now attempting to blackmail SpaceX, demanding that Elon Musk come to the negotiating table.
One of the files that the LockBit ransomware gang leaked appears to be part of a Raptor V2 engine schematic. The Raptor is the proprietary engine used by the SpaceX launch vehicle, and the V2 is an improvement to the original decade-old model that is still a fairly recent development. The third party vendor that was breached is located near Dallas, about a two hour drive from where SpaceX produces the Raptor engines.
The LockBit ransomware gang posted the document samples on March 13, and threatened to start an auction in a week if it does not first come to a payment arrangement with SpaceX. The group said it would also leak more of the drawings in five days if negotiations were not initiated.
The LockBit ransomware attack is not the first time a cyber criminal gang has captured SpaceX documents and threatened to leak them, nor is it the first time a third party vendor was the cause of the breach. Almost the exact same scenario unfolded almost three years ago to the day as the DoppelPaymer ransomware gang broke into SpaceX and Tesla contractor Visser Precision, stole internal documents from both companies involving parts and threatened to leak them if not paid off. In this case the criminals targeted Visser Precision for a payment, however, and when the third party vendor refused to pay they ended up leaking the documents the following month.
Breaches at SpaceX potentially impact more than just Elon Musk’s aerospace projects and bottom line. The company has had over $2 billion in federal government contracts in recent years. Most of these come from NASA, but some are national defense projects, most notably the “Starshield” military satellite system meant for use by Space Force. It is unclear at this time if any sensitive defense information was taken by the LockBit ransomware group. Musk famously had his security clearance put under review by the Pentagon in early 2019 after he was seen smoking marijuana on the Joe Rogan podcast.
LockBit ransomware has taken the mantle of the most active in the past year with over 1,000 victims, and some of these have been high-profile organizations: the UK’s international Royal Mail shipping service, manufacturer Foxconn, UK car dealership Pendragon, German auto parts manufacturer Continental and IT consulting service Accenture. A Trend Micro study found that most of the group’s victims are small businesses, however, and in total about 80% are in the small-to-medium category. LockBit ransomware saw something of a surge in February as it hit 129 known victims, up from 50 recorded in January. The group is known to look for vulnerabilities in third party vendors, though that is not uncommon among modern ransomware groups.
Etay Maor, Senior Director of Security Strategy at Cato Networks, notes that it is not necessarily that smaller businesses are unable to budget for adequate cybersecurity, but that they tend to take the wrong approach: “Organizations today try to prevent attacks by buying more and more point solutions. Small to medium organizations have roughly 20-40 security products while large organizations have over 60. What these organizations end up with are endless integration projects, patching issues, management complexity, alert fatigue and more. Organizations need to understand that an attack such as a ransomware attack should be viewed and dealt with holistically. Trying to deal with these threats using on-prem point solutions is futile. The right approach is applying a multiple choke points approach across the entire attack path using a system that incorporates all the security products under one roof, allowing these solutions to enrich and share data. Such an architecture comes in the form of a single pass cloud-based solution (such as a SASE architecture), rather than the multiple pass, fragmented, on prem approach we still see today.”
The LockBit ransomware group may have learned something from DoppelPaymer’s previous attack and gone straight after the big fish for payment rather than the smaller third party vendor it breached. However, there is also something of a trend among ransomware groups of reducing the popular “double extortion” approach to simple “extortion” without actually bothering to deploy ransomware when some juicy internal information is stolen. It is possible this is fed by increased law enforcement attention to ransomware incidents (as disabled systems cause a variety of real-world havoc), and the fact that cyber insurance companies are greatly cutting back on ransomware coverage and making it harder to obtain may also be pushing attackers in this direction.
Javvad Malik, lead awareness advocate at KnowBe4, notes that this may portend a trend among criminals to longer “dwell times” and more of a focus on stealing valuable data over that extended period of time, much as espionage-focused state-backed threat actors currently do: “When people hear of extortion, their mind immediately goes to ransomware. However, ransomware is just one tool in an attackers arsenal. The data is the actual gold dust that the criminals are after. If they can exfiltrate it, then they have immense leverage over the victim. This raises the important questions of how criminals get into organizations, how they spend so long undetected, and how can sensitive data be exfiltrated without being blocked. The answers to these extend beyond simply looking at point products, but is really about looking at the overall security culture in an organization and how it can be strengthened in a positive manner to reduce the overall risk.”
About
Contact
Our Advertising
Privacy Policy
Cookie Policy
Terms of Use
News, insights and resources for data protection, privacy and cyber security professionals.
About
Contact
Our Advertising
Privacy Policy
Cookie Policy
Terms of Use
Do Not Sell My Data
Data Privacy
Data Protection
Cyber Security
Tech
Insights
News
Resources
Press Releases