Boeing, one of the world’s leading aerospace companies, confirmed that it was the target of a cyberattack. The company stated that the incident specifically targeted the parts and distribution division of the business. Boeing’s spokesperson, Jim Proulx, emphasized that this incident did not pose a threat to flight safety.This post provides a comprehensive analysis of the events that unfolded, shedding light on important aspects of this cyberattack.
Image Source: Unsplash
Understanding LockBit
The LockBit Ransomware Group
The LockBit ransomware group, reportedly linked to Russia, claimed responsibility for the cyberattack on Boeing. This group has targeted around 1,800 systems across the globe since late 2019, as per a recent advisory from the U.S. government. LockBit ransomware has emerged as a prominent adversary. This malicious software encrypts critical data on victim systems and demands high ransoms, pushing organizations into a corner. The potency of LockBit has been so profound that, according to data from Flashpoint, it had a share of 27.93% of all reported ransomware attacks from July 2022 to June 2023.
The exact identities of the individuals or the group operating LockBit remain shrouded in mystery. However, it’s clear that the group is active on multiple hacking forums, including Exploit and RAMP. They also maintain a ransomware leak site where they publish data on victims.
LockBit operates on a profit-sharing model. It sells access to its ransomware to cybercriminals or affiliates, who then target organizations and deploy the ransomware. These affiliates can be either full-time members of the collective or temporary members seeking immediate financial gains.
What is LockBit?
LockBit is a Ransomware-as-a-Service (RaaS) operation that surfaced in September 2019. The group offers its ransomware services to cybercriminals, who in turn deploy LockBit ransomware and carry out attacks.
Initially known as “ABCD” ransomware due to the specific file extension “.abcd virus” used in encryption, the group later adopted the name “LockBit”. The first version of this ransomware, LockBit 1.0, gained attention for its automation capabilities and quick encryption process. Since then, the group has released several new versions of its ransomware, including LockBit 2.0, LockBit 3.0, and LockBit Green, each with unique features and enhanced capabilities.
How Much Do LockBit Threat Actors Earn?
The financial gains made by LockBit actors largely depend on the number of successful ransomware attacks and the amount of ransom demanded. While the exact figures are not public, the fact that LockBit has been the dominant strain of ransomware over the past year indicates substantial earnings.
LockBit operations often begin with the purchase of app vulnerabilities, brute forcing Remote Desktop Protocols (RDP), or phishing. The individuals who conduct these attacks either work full-time for the collective or are affiliates who join temporarily in hopes of immediate financial gain.
LockBit’s Technical Workings
LockBit’s ransomware operation is typically a three-step process: initial access, lateral movement and privilege escalation, and deployment of the ransomware payload.
Initial Access
LockBit often uses social engineering tactics, like phishing, to access user credentials and gain initial entry into an organization’s network. They may also conduct brute force attacks to identify user credentials, or exploit vulnerabilities to gain a foothold within an organization’s network.
Lateral Movement and Privilege Escalation
Once the attackers have gained initial access, they aim to expand their reach within the compromised network. They locate sensitive data and systems to encrypt, elevate their access rights, and strengthen their control over the affected system. This allows them to move more freely within the network.
Deployment of Ransomware Payload
After the threat actors have prepped the victim’s network for attack, they deploy the ransomware to encrypt victims’ files and data, subsequently making the ransom demand.
LockBit ransomware is particularly notable for its ability to spread independently, without human intervention. This allows the attacker to manually target just one system unit, which will subsequently infect other accessible units to run the script and encrypt files.
The Evolution of LockBit: From LockBit 1.0 to LockBit Green
Since the emergence of the original LockBit ransomware, the group has released several new variants with each iteration introducing enhanced encryption speed and novel features.
LockBit 2.0
Debuting in July 2021, LockBit 2.0 evolved from the original LockBit variant by improving its ability to decode strings and codes faster to avoid detection. This version also introduced the ability to automatically encrypt Windows domains by exploiting Active Directory group policies and disabling Microsoft Defender.
LockBit 3.0
Launched in late June 2022, LockBit 3.0 increased encryption speed further to evade security detections. This version also introduced the first recorded ransomware bug bounty program, incentivizing individuals to report any bugs and vulnerabilities to the ransomware group in exchange for financial rewards.
LockBit Green
LockBit Green is one of the newer ransomware variants released by the LockBit gang. While similar to previous versions, it exhibits some unique characteristics and indicators of compromise.
The Threat and the Boeing Ransom Demand
LockBit threatened to publicly disclose a significant volume of sensitive data allegedly stolen from Boeing if the company failed to meet their ransom demand by November 2. The removal of the listing from LockBit’s website often suggests that the targeted organization has either initiated negotiations with the hackers or paid some or all of the demanded ransom.
Legal Implications of Paying the Ransom
The U.S. government has previously imposed sanctions on Evil Corp, believed to be affiliated with the LockBit ransomware group. This makes it illegal for any business or individual to transact with the attackers. Consequentially, paying ransoms to sanctioned hacking groups and ransomware gangs can potentially contravene U.S. law.
Boeing’s Response
On being questioned about the ransom demand and whether it had been paid, Boeing refrained from providing any specific details. The company also declined to comment on how the compromise took place or if it was aware of any data exfiltration from its systems.
The Affected Entities
It is important to note that Boeing is a multinational American company with an estimated annual revenue of $66,610,000,000. With over 150,000 employees worldwide, the organization serves both the public and private sectors.
The Nature of the Breach
According to the LockBit ransomware group, they were able to infiltrate Boeing’s systems using a zero-day vulnerability. However, the exact type of data and the volume of data stolen by LockBit from Boeing remains unknown.
The Double Extortion Method
In this cyberattack, the hackers used a double extortion method, threatening not only to expose the stolen data but also to sell it. This could potentially place the company, its customers, and its supply chain at a greater risk of subsequent phishing attacks.
The Impact on the Supply Chain
In the case of a supply chain, a single compromised vendor can result in a high proportion of their customers also becoming compromised. The military clients in Boeing’s supply chain may make them an extremely enticing target for the attackers, who could leverage trusted relationships as an entry point and socially engineer their victims.
The Urgency Factor
In this particular incident, Boeing was given a time frame of just 6 days to respond, a deviation from the usual 10-day response time typically offered in ransomware attacks. This shorter period served to exert additional pressure on the company.
Conclusion
This incident serves as a stark reminder of the rising threats of cyberattacks and the importance of robust cybersecurity measures. It underscores the need for constant vigilance, stringent security measures, and well-prepared action plans to tackle such incidents.
In the face of such threats, businesses should adopt best practices such as regular system updates, consistent employee training, and darknet monitoring to mitigate the risks of cyberattacks. The Boeing incident is a wake-up call for all organizations to fortify their defenses against the relentless onslaught of cybercriminals.
Leave a Reply