Data Breach at UK Military Contractor Raises Concerns Over Third-Party Risks

A recent data breach at a UK military contractor has once again highlighted the risks associated with legacy systems and third-party vendors. The breach, attributed to the LockBit ransomware group, compromised a Windows 7 computer at the industrial operations of Zaun, a Wolverhampton-based company specializing in the design and manufacturing of mesh fencing systems used to secure UK military bases and intelligence sites.

The breach, described as "sophisticated," occurred between August 5th and August 6th, but its full extent has only recently come to light. Initially, Zaun claimed that no data had been stolen, but subsequent investigations revealed that some documents, including emails and project files, were indeed exfiltrated.

Of particular concern is the technical aspect of the breach. The attackers targeted a computer running manufacturing machine software that still operated on Windows 7, an operating system that ceased receiving security updates from Microsoft in January of the current year. While it's not uncommon for specialized industrial equipment to run outdated software, these systems are typically air-gapped or isolated from internet-connected portions of a network.

In this case, however, it appears that the compromised system was not adequately separated from the broader network, raising questions about the security measures in place.

Zaun has acknowledged that the stolen data was not encrypted by LockBit's ransomware. Approximately 10 GB of data was taken, representing less than 1% of the company's total stored information. While the exact amount of data related to UK military bases is unknown, Zaun has clarified that the breached information includes "historic emails," orders, drawings, and project files.

Zaun has pointed out that its products, including those used in military bases, are publicly available for purchase and inspection. Support and user manuals are accessible for download via the company's website, making the stolen data seemingly less sensitive.

However, LockBit has since attempted to extort Zaun and has published some of the stolen data on the dark web. While the dumped information does relate to UK research, intelligence, and military bases using Zaun's fencing, there is no clear evidence at this time that any of the exposed data is classified or highly sensitive. Zaun is approved as a contractor for equipment installations at sensitive sites by the Centre for the Protection of National Infrastructure (CPNI) but does not possess higher government clearances granted to firms with specific security contractor roles.

LockBit, known for its ransomware activities, has been responsible for approximately 20% of attacks targeting primarily English-speaking countries in 2022. However, security researchers have observed a decline in data breaches attributed to the group since April of this year. The group appears to be grappling with infrastructure issues and struggles to release stolen data promptly, prompting some of its top technical experts and affiliates to seek alternative opportunities.

In response to the breach, both the Information Commissioner's Office (ICO) and the National Cyber Security Centre (NCSC) are now actively involved in the investigation.

This incident underscores the importance of not only maintaining up-to-date security measures but also evaluating the security practices of third-party vendors and the potential risks associated with legacy systems in today's digital landscape.