Defense Contractor Compromised with MAZE Ransomware

Westech MAZE Ransomware Compromise; InfoSec News asks an Expert About the Fallout

By William Knowles @c4i
Senior Editor
InfoSec News
June 8, 2020

Troubling Cybersecurity/National Security news via Sky News, which is reporting that criminal hackers have stolen confidential information from Westech International. Westech serves as a U.S. military contractor for a number of Washington D.C. based companies such as Northrop Grumman, Booz Allen Hamilton, General Dynamics Information Technology (GDIT), and Science Applications International Corporation.

Westech International provides U.S. government and military clients a wide of services like Testing and Evaluation for the Army Intelligence Electronic Warfare Test Directorate, Mission Systems Support (T&E MSS) to The Joint Interoperability Test Command (JITC), Cybersecurity and unsecured and secured network support for Intelligence Electronic Warfare Test Directorate at Fort Huachuca, AZ and supports the ICBM Ground Subsystem Support Contract (GSSC) for the Minuteman III ICBM project.

A spokesperson for Westech told Sky News that Westech International has confirmed that it been breached and that its computers have been encrypted. “We recently experienced a ransomware incident, which affected some of our systems and encrypted some of our files,” Westech said in a media statement.

A number of news outlets are saying Westech International’s computers were encrypted with the MAZE ransomware, I asked Dan Wolfford, Co-founder & CTO of Dyrwolf, which is the first and only ransomware prevention & recovery platform to help organizations of all sizes protect their data, on his impressions of the MAZE ransomware.

“We believe the group behind MAZE is a ransomware merchant with a strong record of success and a good reputation of keeping up their end of the deal. They also have an interesting revenue sharing strategy, where they pay affiliates a commission for attracting potential customers with their software. We started tracking them in our threat database last year, after researching FALLOUT and SPELEVO exploit kits.”

What is the likelihood of a payload being added to MAZE to jump networks within the organization as has been reported lately?

“This merchant and their affiliates have proven to be creative and adaptive, using malicious ads, traffic redirection, exploit kits, email campaigns, fake websites, fake cryptocurrency apps, browser exploits, impersonation, data exfiltration, and leak extortion. Based on past performance, we believe it is highly likely they will continue to innovate in this space, adding new tactics and techniques to maximize profits.”

Does Westech International have a SIPRNet network connection?

“Most likely yes, because the Defense Information Systems Agency (DISA) Secret IP Router Network (SIPRNet) is available to mission partners and according to Shawn Purvis (Vice President and General Manager, Cyber Division, Northrop Grumman Information Systems), Northrop Grumman is proud to be DISA’s trusted partner.”

InfoSec News has reached out to Westech for further details and comments about the cyberattack including the timeline of the attack, attack vector(s), which cyber-security frameworks they use, and whether or not Westech International paid the ransom. If the attackers or malware they are using has the capability to move laterally, it is conceivable that it could reach a system connected to SIPRNet.

Westech International is a Woman-owned small business founded in 1995 by Dr. Betty Chao and based in Albuquerque, New Mexico.