Virginia National Guard Confirms Cyberattack Hit Virginia Defense Force Email Accounts
Email accounts connected to the Virginia Defense Force and the Virginia Department of Military Affairs were hit by a cyberattack in July, according to a spokesperson for the Virginia National Guard.
AA Puryear, public affairs chief for the Virginia National Guard, told ZDNet that the organization was made aware in July of a possible cyber threat against the Virginia Defense Force and immediately began an investigation in coordination with state and national authorities. federal cybersecurity and law enforcement agencies to determine what was impacted
“The investigation determined that the threat impacted VDF and Virginia Department of Military Affairs email accounts operated by a contracted third party, and there was no indication that the internal IT infrastructure or data servers of VDF or DMA have been hacked or data has been taken,” Puryear said.
“There is no impact to the Virginia Army National Guard or Virginia Air National Guard IT infrastructure. The investigation continues with ongoing coordination with state and federal partners to determine the full impact of the threat and appropriate follow-up action to be taken.”
Puryear confirmed the incident was not a ransomware attack but did not respond to questions about email addresses accessed and whether victims had ever been notified.
The Virginia Department of Military Affairs is the state agency that supports the Virginia National Guard, Virginia Air National Guard, and Virginia Defense Force. The Virginia Defense Force is the all-volunteer reserve of the Virginia National Guard and it “serves as a force multiplier” integrated into all National Guard domestic operations.
On August 20, the Marketo marketplace for stolen data began making public a treasure trove of data stolen from the Virginia Department of Military Affairs. They claimed to have 1 GB of data available for purchase.
Experts have said that even though the operators behind Marketo are not ransomware actors, some of their site’s data is known to have been taken during ransomware attacks and made public as a way to force victims to pay ransoms.
Marketo was previously in the news for selling data from Japanese tech giant Fujitsu. Digital Shadows wrote a report on the group in July, noting that it was created in April 2021 and often markets its stolen data via a profile on Twitter.
The gang has repeatedly claimed that it is not a ransomware group but an “information market”. Despite their claims, their Twitter account frequently shares posts which designate them as a ransomware group.
Allan Liska, a member of the computer security incident response team at Recorded Future, noted that they don’t appear to be tied to any specific group of ransomware.
“They have taken the same path as Babuk and are all ‘data leakers.’ or not,” Liska said.
Emsisoft threat analyst and ransomware expert Brett Callow said it was still unclear how Marketo got the data they were selling and added that it was also unclear. were responsible for the hacks or if they were just acting as commission brokers.
He added that some of the victims of the Marketo leak site have recently been hit by ransomware attacks, including X-Fab, which ransomware group Maze hit in July 2020, and Luxottica, which was hit by the ransomware. Nefiliim in September.
“That said, at least some of the data the gang attempted to sell may be linked to ransomware attacks, some of which date back to last year. stolen, but also to its customers and business partners,” Callow said.
“These are great bait for spear phishing because they allow threat actors to create extremely compelling emails that may even appear to be responses to existing exchanges. It’s also the one buying the data. In fact, it’s anyone who knows the URL, because they can download the “evidence pack”.
In the past, the group has gone so far as to send samples of stolen data to a company’s competitors, customers and partners in order to shame victims into paying for their data.
The group recently listed dozens of organizations on its leak site, including the US Department of Defenseand typically releases a new one every week, selling mostly data from organizations in the US and Europe.