In what might sound like an unremarkable incident, in early August a single PC in a factory in Wolverhampton, U.K., was compromised by malware connected to the notorious LockBit ransomware group.
The PC in question belonged to Zaun, a British manufacturer of high-security perimeter fencing. Unfortunately, the compromise allowed the attackers to download 10GB of data with the unconfirmed possibility that other systems were accessed.
Just another data breach, perhaps, except that it turns out that Zaun supplies fencing to the U.K.’s Ministry of Defence and other sensitive sites including the Government Communications Headquarters (GCHQ) intelligence and communications centre.
Unsurprisingly, Zaun’s official statement on the attacks tries to downplay the seriousness of what happened, stating that the lost data represented only “0.74% of our stored data.”
The statement also claims that the attackers could have gained as much information on its product specifications by simply visiting its website:
“As such it is not considered that any additional advantage could be gained from any compromised data beyond that which could be ascertained by going to look at the sites from the public domain.”
Nevertheless, it admits that the stolen data will have given the LockBit attackers access to “some historic emails, orders, drawings and project files,” none of which would have counted as classified. In other words, nothing to see here:
“Zaun is a manufacturer of fencing systems and not a Government approved security contractor. As a manufacturer of perimeter fencing, any member of the public can walk up to our fencing that has been installed at these sites and look at it.”
Several elements of this story jump out, starting with the compromised PC which was—deep breath—running Windows 7. Yes, you read that correctly, Windows 7, an OS launched in 2009.
This OS is not only obsolete and insecure but hasn’t received security updates of any kind (assuming extended support was in place) since January of this year at the latest.
The company describes the PC as a “rogue” piece of equipment while admitting it was connected to a machine used for manufacturing. So, perhaps not so rogue after all. Why would a company still be using such an old and vulnerable system? Most likely because replacing it would have caused upheaval, a common security issue in a sector where disruption to production is anathema.
More problematically, U.K. newspaper The Mirror has since claimed that, on the contrary, the lost data included a range of emails and maps relating to a number of government installations and prisons, all potentially sensitive.
It’s a situation that highlights a big issue with supply chain security and emails—even quite low-level suppliers can accumulate messages containing sensitive information.
As for LockBit, earlier this year the same group grabbed headlines in the United Kingdom after a ransomware attack that crippled the Royal Mail’s international letters division for weeks.
The possibility remains that the full effects of this ransomware breach have yet to be felt should the stolen documents be made public, as history suggests they will be at some point.
Building secure fences around buildings is still much easier than building them around computers.