A British security contractor called Zaun has confirmed it was hit by LockBit ransomware and has suffered a data breach as a result – with the attack surface being “in an otherwise up-to-date network… a rogue Windows 7 PC” running software for a manufacturing machine.
(Windows 7, released in 2009, reached end-of-support on January 14, 2020, meaning it no longer received security patches.)
Zaun manufactures security perimeter fencing for sites including a GCHQ listening post, the Porton Down chemical weapons laboratory and Cawdor Barracks; home to the 14th Signal Regiment – with details for those sites and more now dumped on LockBit’s .onion leaks site.
Zaun said that “it has become apparent that LockBit was able to download some data from our system which has now been published on the Dark Web. LockBit will have potentially gained access to some historic emails, orders, drawings and project files, we do not believe that any classified documents were stored on the system or have been compromised” – adding that it has contacted the NCSC and the ICO.
The story was first reported by The Mirror, which reported that the leaked documents (of which there are many thousands) included an “order report for equipment at GCHQ’s communications complex in Bude, Cornwall… security equipment at RAF Waddington, Lincs, where the Reaper attack drones squadron is based [and] detailed drawings for perimeter fencing at Cawdor [Barracks], in Pembrokeshire.”
(As The Stack published, the data dump download page on LockBit’s .onion site was generating a 500 internal server error…)
Zaun data breach: CISOs with an OT estate may sympathise
Many CIOs and CISOs will empathise with the challenge of keeping manufacturing or other operational technology (OT) software secure; something more than one industry leader running IT for critical national infrastructure providers has told The Stack keeps them up at night.
As Paul Brucciani, cybersecurity advisor at WithSecure notes, this can be particularly hard because “patches may not exist… may not be compatible with the hardware; the device may be remotely located and hard to reach, or the device owner may not approve the patch” (given that they can cause OT downtime as system dependencies unravel.)
Worse, common OT systems from major vendors like Honeywell, Motorola, Schneider Electric and Siemens can be riddled with basic security flaws like undocumented hardcoded root credentials, controllers that transmit PINs, usernames and passwords in plaintext, and unsigned firmware images, as security researchers noted last year.
Troublingly, the majority of these insecure products -- thousands of which are exposed to the public internet -- are certified as secure, including under standards like IEC 62443-4-2 (a security standard for industrial automation and control systems) Forescout noted.
The Zaun data breach is a fresh reminder of the heightened risk of partners in a supply chain being hit. How LockBit reached that exposed Windows 7 machine remains unclear but if it was internet-exposed or even domain joined from a machine where a user had hit a phishing email, then more could have been done to avoid it happening.
Robust OT protection should involve all users and devices being robustly authenticated and authorised before being granted access to resources under a zero trust strategy and managing risk by “enforcing appropriate security policies, proactive detection and response to threats, and regular testing and validation of their security incident response plan” as Brucciani notes.