Another Day, Another Report of Cyber Attacks and Resulting Fallout
Grief is a ransomware gang affiliated with the Russian-linked cybercrime group Evil Corp, and yesterday they posted documents from the National Rifle Association (NRA) on the Dark Web, saying more would come if the organization did not pay a ransom.
The Associated Press reported the documents were related to grants the NRA was awarded, and ZDNet reported that NRA board meeting notes were also posted.
According to Cyberscoop, the ties to Evil Corp. could complicate the NRA response. The NRA could be “at risk of violating U.S. sanctions if it pays the attackers after the Treasury Department sanctioned that gang in 2019. The Justice Department also charged two Evil Corp. members with criminal violations, accusing the group’s leader, Maksim Yakubets, of providing direct assistance to Russian intelligence agencies.”
“NRA does not discuss matters relating to its physical or electronic security. However, the NRA takes extraordinary measures to protect information regarding its members, donors, and operations – and is vigilant in doing so.”–Andrew Arulanandam, managing dir., NRA Public Affairs
— NRA (@NRA) October 27, 2021
The NRA has not explicitly addressed the release of the documents or the ransomware reports, instead issuing a blanket statement saying “the NRA takes extraordinary measures to protect information regarding its members, donors, and operations—and is vigilant in doing so.”
The NRA is the second organization aligned with the U.S. political right wing recently targeted by an Evil Corp. Last week, Bloomberg reported the Sinclair Broadcast Group was infected with Evil Corp.’s Macaw ransomware variant.
The NRA attack is one of three high-profile attacks reported in the last few days. In another incident, a cyberattack hit the system Iranians use to subsidize gasoline purchases in the country, rendering it inoperable.
Iran’s president said the attack was intended to get “people angry by creating disorder and disruption.” The attack paralyzed gas stations throughout the country, leading to long lines. When customers tried to use the cards to buy fuel, the card reader returned an error message instead: “cyberattack 64411.” Hackers also seized control of electronic signs along the nation’s roadways, posting messages translated as “Khamenei, where is our fuel?” Khamenei currently serves as Iran’s supreme leader. The number 64411 also appeared in a previous attack on the nation’s railroad system.
The BBC reported a group called Predatory Sparrow has claimed responsibility for the attack, but Iranian leaders have said they believe state actors were behind the disruption. Iranian press have linked the timing of the attack to incidents two years ago in which mass protests directed anger at the government over a 50 percent rise in gas prices.
Finally, cybercriminals continue their assault on the U.S. food and agriculture industry. Schreiber Foods is a $5 billion dairy operation based in Wisconsin. Cyberscoop noted in reports yesterday that the incident began affecting operations late Friday, knocking plants and distribution centers offline.
The company has said a “cyber event” was the cause, however it would not provide any additional details. The Wisconsin State Farmer reported that the event was a ransomware attack and that hackers were demanding $2.5 million to unlock Schreiber’s computer systems. It is not publicly known if Schreiber paid the ransom.
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) issued an alert about ransomware targeting food and agriculture businesses on 18 October. The alert followed high-profile attacks on meat supplier JBS last spring and food cooperatives New Cooperative (Iowa) and Crystal Valley Cooperative (Minnesota) in the summer.
