The Department of Defense office responsible for background investigations is working with law enforcement to examine claims by a prolific ransomware group that they have stolen documents containing sensitive data related to the U.S. military, a Pentagon spokesperson told CyberScoop.
The ransomware group known as ALPHV or BlackCat, said early Tuesday that they had stolen and threatened to leak 300 gigabytes of data from Technica, a Virginia-based IT services company that describes itself as working with the federal government and “their mission to support, to defend and protect America’s citizens.”
The company did not respond to multiple emails seeking comment and could not be reached by phone.
By allegedly breaching Technica, ALPHV claimed to have obtained data related to the Defense Counterintelligence and Security Agency, which carries out background investigations and insider threat analyses.
“The Defense Counterintelligence and Security Agency is aware of the allegations of this incident and is coordinating with the appropriate law enforcement and security officials to address concerns,” Sue Gough, a Defense Department spokesperson, told CyberScoop in an email. “We will not comment on any cleared facility’s security posture or any specific security incidents.”
To back up its claim, ALPHV posted more than two dozen screenshots of purportedly stolen documents featuring the names, social security numbers, clearance levels and roles and work locations of dozens of people.
The screenshots include billing invoices, contracts for entities ranging from the FBI to the U.S. Air Force and information related to private entities and facilities who contract with the U.S. government.
“If Technica does not contact us soon, the data will either be sold or made public,” the group wrote in a message posted alongside the documents.
Gough declined to specifically comment on any of the purported documents. The FBI declined to comment, and the Air Force did not respond to a request for comment.
Allan Liska, a ransomware researcher with Recorded Future, said that while claims by ransomware groups should be taken with a grain of salt, the apparent breach by ALPHV appears to be “very serious.”
“Even if there aren’t classified documents per se, there is a lot of sensitive data that can be garnered from even confidential or sensitive documents,” Liska said, adding that the kind of information shared in the screenshots “could be used by nation state actors for targeting.”
ALPHV operates a ransomware-as-a-service operation, whose “affiliates” use the group’s malware and platform to carry out attacks and split the proceeds from successful ransomware and data extortions. The group has compromised more than 1,000 entities as of September 2023, according to the FBI. The Department of Justice has described the group as the world’s second-most prolific ransomware operation in the world, responsible for extorting hundreds of millions of dollars from its victims.
Though the exact nature of the group’s involvement remains unclear, ALPHV was linked to the September 2023 extortion attack on MGM Resorts and Caesars Entertainment, in what is among the group’s most high-profile incidents to-date.
In December, the FBI and a host of international partners claimed to have seized ALPHV infrastructure. Hours later the group said it had “unseized” the site and said it had lifted restrictions on targeting critical infrastructure. Experts were quick to note that the group had, in fact, already been involved in attacks on critical infrastructure.
The site remains active with multiple victims currently listed.