Virginia National Guard confirms cyberattack hit Virginia Defense Force email accounts

Email accounts connected to the Virginia Defense Force and the Virginia Department of Military Affairs were impacted by a cyberattack in July, according to a spokesperson from the Virginia National Guard. 

A. A. Puryear, chief of public affairs for the Virginia National Guard, told ZDNet that the organization was notified in July about a possible cyber threat against the Virginia Defense Force and began an investigation immediately in coordination with state and federal cybersecurity and law enforcement authorities to determine what was impacted 

“The investigation determined the threat impacted VDF and Virginia Department of Military Affairs email accounts maintained by a contracted third party, and there are no indications either VDF or DMA internal IT infrastructure or data servers were breached or had data taken,” Puryear said. 

“There are no impacts on the Virginia Army National Guard or Virginia Air National Guard IT infrastructure. The investigation is ongoing with continued coordination with state and federal partners to determine the full impact of the threat and what appropriate follow up actions should be taken.”

The Virginia National Guard did not respond to questions about whether the incident was a ransomware attack. They also did not respond to questions about which email addresses were accessed and whether victims have already been notified. 

The Virginia Department of Military Affairs is the state agency that supports the Virginia Army National Guard, Virginia Air National Guard and Virginia Defense Force. The Virginia Defense Force is the all-volunteer reserve of the Virginia National Guard and it “serves as a force multiplier” integrated into all National Guard domestic operations. 

On August 20, the Marketo marketplace for stolen data began publicizing a trove of data stolen from the Virginia Department of Military Affairs. They claimed to have 1GB of data available for purchase.

Experts have said that while the operators behind Marketo are not ransomware actors, some of the data on their site is known to have been taken during ransomware attacks and publicized as a way to force victims into paying ransoms. 

Marketo was previously in the news for selling the data of Japanese tech giant Fujitsu. Digital Shadows wrote a report about the group in July, noting that it was created in April 2021 and often markets its stolen data through a Twitter profile by the name of @Mannus Gott.

The gang has repeatedly claimed it is not a ransomware group but an “informational marketplace.” Despite their claims, their Twitter account frequently shares posts that refer to them as a ransomware group. 

Allan Liska, part of the computer security incident response team at Recorded Future, noted that they don’t appear to be tied to any specific ransomware group. 

“They have taken the same route that Babuk did and are all ‘data leaks.’ To the best of our knowledge they don’t claim to steal the data themselves and instead they offer a public outlet to groups who do, whether they are ransomware or not,” Liska said.

Emsisoft threat analyst and ransomware expert Brett Callow said it is still unclear how Marketo comes by the data they sell and added that it is also unclear whether they are responsible for the hacks or are simply acting as commission-based brokers. 

He added that some of the victims on Marketo’s leak site were recently hit by ransomware attacks, including X-Fab, which the Maze ransomware group hit in July 2020, and Luxottica, which was hit by Nefiliim ransomware in September.

“That said, at least some of the data the gang has attempted to sell may be linked to ransomware attacks, some of which date back to last year. Leaked emails can represent a real security risk, not only to the organization from which they were stolen, but also to its customers and business partners,” Callow said. 

“They’re excellent bait for spear phishing as it enables threat actors to create extremely convincing emails which may even appear to be replies to existing exchanges. And, of course, it’s not only the initial threat actor that affected organizations need to worry about; it’s also whoever buys the data. In fact, it’s anybody who knows the URL, as they can download the ‘evidence pack.'”

In the past, the group has gone so far as to send samples of stolen data to a company’s competitors, clients and partners as a way to shame victims into paying for their data back. 

The group has recently listed dozens of organizations on their leak site, including the US Department of Defense, and generally leaks a new one each week, mostly selling data from organizations in the US and Europe. 

READ MORE HERE