2021 National Rifle Association ransomware attack

Last updated

2021 National Rifle Association ransomware attack
Date
    • October 17–24, 2021 (likely timeframe of hack)
    • October 27, 2021 (release of documents by Grief)
Type Data breach, ransomware scam
Target National Rifle Association of America

On October 27, 2021, a Russian hacker group known as Grief published 13 documents attributed to the National Rifle Association of America (NRA) in a ransomware scam, claimed to have hacked the organization, and threatened to release more NRA documents if the undisclosed ransom was not paid.

Contents

The attack followed the Federal Bureau of Investigation's shutdown of another major hacker group, REvil and raised questions about the NRA's cybersecurity measures amidst its ongoing legal disputes. The documents, temporarily removed but later re-uploaded, included meeting minutes and grant applications. In November, Grief published additional documents containing sensitive employee and organizational information. Although the NRA has remained largely silent about the incident, the authenticity of the leaked documents was confirmed by current and former NRA officials. The hacker group Grief, active since May 2021, is believed to be a rebrand of the Russian group Evil Corp, a group linked to numerous ransomware attacks globally and subject to U.S. sanctions.

Background

On October 21, 2021, the Federal Bureau of Investigation hacked and shut down REvil, a major hacking organization involved in ransomware scams. In response, other ransomware groups shared anti-United States messages on the dark web. [1] [2]

Prior to the ransomware attack, the National Rifle Association had been involved in multiple legal disputes, which Recorded Future analyst Allan Liska argued may have made them an easier target for cyberattacks as attention within the organization was pulled away from their security. [3]

Ransomware attack

NRA headquarters in Virginia NRA Virginia HQ.jpg
NRA headquarters in Virginia

Initial release of documents

On October 27, 2021, Grief published 13 documents on their website as part of a ransomware scam, attributing them as internal documents belonging to the NRA and claiming to have hacked the organization. [4] As reported in Wired, the hack likely took place within the week prior to the release of documents. [5] The group threatened to release more files if the ransom (an undisclosed amount of money [1] ) was not paid. [4]

An anonymous person with direct knowledge of the events at the NRA told Associated Press that the group had been having issues with its email system in the week prior to the publication of files by Grief, which is a potential indicator of a ransomware attack. [6] On October 28, The Register reported that it was unknown whether the hack had targeted the headquarters of the NRA or one of its local branches. [7]

The leaked files included the minutes from an NRA board meeting that occurred shortly before the release of documents as well as multiple files related to grants. [8] The Trace reported that one document appeared to be a late 2019 grant application made to the NRA by David Kopel on behalf of the Independence Institute for $267,000, with $248,500 earmarked as Kopel's salary. Kopel has repeatedly filed amicus briefs supporting the NRA in court, and has not disclosed a financial connection to the organization. [9]

After the ransomware attack was announced by Grief, hundreds of Twitter accounts that had all been created in August and September 2021 shared tweets about the attack. Most of the accounts had feminine names, and the majority used the default Twitter profile photo while others used pictures that appeared to be taken from the online dating services Shuri-Muri or Tralolo. Some of the same accounts had previously posted about an earlier ransomware attack by Grief or about the NRA, gun violence, or Nazis. [10] As of November 1,2021, it was unclear whether there was a connection between Grief and the network of Twitter accounts. [10] [11]

Temporary removal of released documents

On October 29, Grief removed the documents attributed to the NRA from the dark website where they had been published. Brett Callow, a threat analyst employed by Emsisoft, noted that while the delisting of the NRA on the website could mean that the organization paid the ransom, there were additional possibilities; it could also indicate that the NRA had entered into negotiations with Grief or that the ransomware group had chosen to remove the documents because they had drawn too much law enforcement attention. [5] However, on November 1, The Washington Times reported that Callow had published a screenshot showing that documents attributed to the NRA were again visible on the Grief website. [12]

Release of additional documents

On November 11, The Reload reported that Grief had published more internal documents the previous day, stating that these new documents included bank account information of the organization as well as information about specific employees including Social Security numbers and home addresses. The outlet additionally reported that the authenticity of the leaked documents had been confirmed by "six current and former NRA officials" including one individual whose personal information was exposed in the leak, who was not aware of its existence prior to being contacted by The Reload. [13] [14]

Also on November 10, Grief moved the NRA-related documents on its website from a section indicating hacks in progress to a different one indicating that it had been completed. No explanation was provided. [13]

Perpetrators

A Russian hacker group known as Grief was responsible for the ransomware scam. [4] The group first became active in May 2021. [15] NBC News reported that computer security experts believe that Grief is a rebrand of the Russian group Evil Corp. [1] [4] Evil Corp has been linked to ransomware attacks on Sinclair Broadcast Group as well as hundreds of financial entities across more than 40 countries. In 2019, action against the group including sanctions was taken by multiple United States federal agencies; [3] it is subject to sanctions by the United States Department of the Treasury. [16] Experts have additionally theorized that Grief is a rebrand of DoppelPaymer, another ransomware group associated with Evil Corp. [17]

Response

NRA response

On October 27, 2021, the NRA tweeted a statement by its managing director of public affairs Andrew Arulanandam. The statement said that the NRA does not discuss its security, but that the group "takes extraordinary measures to protect information regarding its members, donors, and operations". The NRA declined requests for further comment by The Hill [3] and requests for comment by NBC. [1] The Daily Beast reported that an email to the NRA spokesperson had returned an error message, potentially indicating that the organization's email server was offline, and that spokesperson Amy Hunter declined to comment after being reached by phone. [15]

As of October 27,2021, it was unclear whether the NRA had any plans to pay the ransom. [15] Because of the link between Grief and EvilCorp, which is sanctioned by the United States Treasury, the NRA would need the permission of the Treasury to transfer ransom money to Grief; [16] [8] doing so without permission could lead to the imposition of penalties. [5] [ clarification needed ]

As of October 29,2021, the NRA had not confirmed that they had been hacked or targeted by a ransomware scam, nor had they confirmed the validity of the documents released by Grief. They did not respond a request for comment from Wired asking whether they were negotiating with Grief or had paid the ransom. [5]

As of November 11,2021, the NRA had made no further official comment about the ransomware attack. The organization's response to the attack remained unclear. The Reload reported that multiple current and former NRA officials had confirmed the authenticity of the leaked documents, while NRA board member Phillip Journey told the outlet that the lack of information from NRA staff was "disconcerting" and asked "who knows how far it went, what they have, and what they could still sell?" [13] [14]

Public response

On October 28, The Register reported that the hack had generated an amused reaction on the Internet, suggesting that targeting the NRA may be more popular with the public than hacking government, school, and healthcare facilities as Grief historically has done. [7]

Related Research Articles

<span class="mw-page-title-main">Ransomware</span> Malicious software used in ransom demands

Ransomware is a type of malware from cryptovirology that threatens to publish the victim's personal data or permanently block access to it unless a ransom is paid off. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

<span class="mw-page-title-main">Timeline of Internet conflicts</span>

The Internet has a long history of turbulent relations, major maliciously designed disruptions, and other conflicts. This is a list of known and documented Internet, Usenet, virtual community and World Wide Web related conflicts, and of conflicts that touch on both offline and online worlds with possibly wider reaching implications.

<span class="mw-page-title-main">Anonymous (hacker group)</span> Decentralized hacktivist group

Anonymous is a decentralized international activist and hacktivist collective and movement primarily known for its various cyberattacks against several governments, government institutions and government agencies, corporations and the Church of Scientology.

Cyberwarfare by Russia includes denial of service attacks, hacker attacks, dissemination of disinformation and propaganda, participation of state-sponsored teams in political blogs, internet surveillance using SORM technology, persecution of cyber-dissidents and other active measures. According to investigative journalist Andrei Soldatov, some of these activities were coordinated by the Russian signals intelligence, which was part of the FSB and formerly a part of the 16th KGB department. An analysis by the Defense Intelligence Agency in 2017 outlines Russia's view of "Information Countermeasures" or IPb as "strategically decisive and critically important to control its domestic populace and influence adversary states", dividing 'Information Countermeasures' into two categories of "Informational-Technical" and "Informational-Psychological" groups. The former encompasses network operations relating to defense, attack, and exploitation and the latter to "attempts to change people's behavior or beliefs in favor of Russian governmental objectives."

<span class="mw-page-title-main">WannaCry ransomware attack</span> 2017 worldwide ransomware cyberattack

The WannaCry ransomware attack was a worldwide cyberattack in May 2017 by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. It propagated by using EternalBlue, an exploit developed by the United States National Security Agency (NSA) for Windows systems. EternalBlue was stolen and leaked by a group called The Shadow Brokers a month prior to the attack. While Microsoft had released patches previously to close the exploit, much of WannaCry's spread was from organizations that had not applied these, or were using older Windows systems that were past their end-of-life. These patches were imperative to organizations' cyber security but many were not implemented due to ignorance of their importance. Some have claimed a need for 24/7 operation, aversion to risking having formerly working applications breaking because of patch changes, lack of personnel or time to install them, or other reasons.

<i>Petya</i> and <i>NotPetya</i> Family of encrypting ransomware discovered in 2016

Petya is a family of encrypting malware that was first discovered in 2016. The malware targets Microsoft Windows–based systems, infecting the master boot record to execute a payload that encrypts a hard drive's file system table and prevents Windows from booting. It subsequently demands that the user make a payment in Bitcoin in order to regain access to the system.

<span class="mw-page-title-main">2017 Ukraine ransomware attacks</span> Series of powerful cyberattacks using the Petya malware

A series of powerful cyberattacks using the Petya malware began on 27 June 2017 that swamped websites of Ukrainian organizations, including banks, ministries, newspapers and electricity firms. Similar infections were reported in France, Germany, Italy, Poland, Russia, United Kingdom, the United States and Australia. ESET estimated on 28 June 2017 that 80% of all infections were in Ukraine, with Germany second hardest hit with about 9%. On 28 June 2017, the Ukrainian government stated that the attack was halted. On 30 June 2017, the Associated Press reported experts agreed that Petya was masquerading as ransomware, while it was actually designed to cause maximum damage, with Ukraine being the main target.

REvil was a Russia-based or Russian-speaking private ransomware-as-a-service (RaaS) operation. After an attack, REvil would threaten to publish the information on their page Happy Blog unless the ransom was received. In a high profile case, REvil attacked a supplier of the tech giant Apple and stole confidential schematics of their upcoming products. In January 2022, the Russian Federal Security Service said they had dismantled REvil and charged several of its members.

<span class="mw-page-title-main">Ryuk (ransomware)</span> Type of ransomware

Ryuk is a type of ransomware known for targeting large, public-entity Microsoft Windows cybersystems. It typically encrypts data on an infected system, rendering the data inaccessible until a ransom is paid in untraceable bitcoin. Ryuk is believed to be used by two or more criminal groups, most likely Russian, who target organizations rather than individual consumers.

On May 7, 2021, Colonial Pipeline, an American oil pipeline system that originates in Houston, Texas, and carries gasoline and jet fuel mainly to the Southeastern United States, suffered a ransomware cyberattack that impacted computerized equipment managing the pipeline. The Colonial Pipeline Company halted all pipeline operations to contain the attack. Overseen by the FBI, the company paid the amount that was asked by the hacker group within several hours; upon receipt of the ransom, an IT tool was provided to the Colonial Pipeline Company by DarkSide to restore the system. However, the tool had a very long processing time to help get the system back up in time.

DarkSide is a cybercriminal hacking group, believed to be based in Eastern Europe, that targets victims using ransomware and extortion; it is believed to be behind the Colonial Pipeline cyberattack. It is thought that they have been able to hack and extort money from around 90 companies in the USA alone. The group provides ransomware as a service.

On 14 May 2021, the Health Service Executive (HSE) of Ireland suffered a major ransomware cyberattack which caused all of its IT systems nationwide to be shut down.

Conti is a ransomware that has been observed since 2020, believed to be distributed by a Russia-based group. All versions of Microsoft Windows are known to be affected. The United States government offered a reward of up to $10 million for information on the group in early May of 2022.

Wizard Spider, also known as Trickbot, is a cybercrime group based in and around Saint Petersburg in Russia. Some members may be based in Ukraine. They are estimated to number about 80, some of them may not know they are employed by a criminal organisation.

In mid-May 2021 hospital computer systems and phone lines run by the Waikato District Health Board (DHB) in New Zealand were affected by a ransomware attack. On 25 May, an unidentified group claimed responsibility for the hack and issued an ultimatum to the Waikato DHB, having obtained sensitive data about patients, staff and finances. The Waikato DHB and New Zealand Government ruled out paying the ransom.

On May 30, 2021, JBS S.A., a Brazil-based meat processing company, suffered a cyberattack, disabling its beef and pork slaughterhouses. The attack impacted facilities in the United States, Canada, and Australia.

On 2 July 2021, a number of managed service providers (MSPs) and their customers became victims of a ransomware attack perpetrated by the REvil group, causing widespread downtime for over 1,000 companies.

<span class="mw-page-title-main">2022 Ukraine cyberattacks</span> Attack on Ukrainian government and websites

During the prelude to the 2022 Russian invasion of Ukraine and the 2022 Russian invasion of Ukraine, multiple cyberattacks against Ukraine were recorded, as well as some attacks on Russia. The first major cyberattack took place on 14 January 2022, and took down more than a dozen of Ukraine's government websites. According to Ukrainian officials, around 70 government websites, including the Ministry of Foreign Affairs, the Cabinet of Ministers, and the Security and Defense Council, were attacked. Most of the sites were restored within hours of the attack. On 15 February, another cyberattack took down multiple government and bank services.

<span class="mw-page-title-main">2022 Costa Rican ransomware attack</span> Attack on Costa Rican government systems

Beginning on the night (UTC-6:00) of April 17, 2022, a ransomware attack began against nearly 30 institutions of the government of Costa Rica, including its Ministry of Finance, the Ministry of Science, Innovation, Technology and Telecommunications (MICITT), the National Meteorological Institute, state internet service provider RACSA, the Costa Rican Social Security Fund, the Ministry of Labor and Social Security, the Fund for Social Development and Family Allowances, and the Administrative Board of the Municipal Electricity Service of Cartago.

References

  1. 1 2 3 4 Collier, Kevin (October 27, 2021). "Cybercriminals claim to have hacked the NRA". NBC News . Archived from the original on October 27, 2021. Retrieved October 27, 2021.
  2. Collier, Kevin (October 22, 2021). "Ransomware hackers nervous, allege harassment from U.S." NBC News . Archived from the original on October 22, 2021. Retrieved October 27, 2021.
  3. 1 2 3 Miller, Maggie (October 27, 2021). "NRA hit by Russian-linked ransomware attack: reports". The Hill . Archived from the original on October 27, 2021. Retrieved October 27, 2021.
  4. 1 2 3 4 Stieb, Matt (October 27, 2021). "Russian Cybercriminals Claim to Have Hacked the NRA". New York . Archived from the original on October 27, 2021. Retrieved October 27, 2021.
  5. 1 2 3 4 Newman, Lily Hay (October 29, 2021). "An Apparent Ransomware Hack Puts the NRA in a Bind". Wired . ISSN   1059-1028 . Retrieved November 1, 2021.
  6. Tucker, Eric (October 27, 2021). "Ransomware gang says it targeted National Rifle Association". Associated Press . Archived from the original on October 27, 2021. Retrieved October 28, 2021.
  7. 1 2 Dobberstein, Laura (October 28, 2021). "Grief ransomware gang strikes again, claims it hit the NRA". The Register . Archived from the original on October 28, 2021. Retrieved October 28, 2021.
  8. 1 2 Greig, Jonathan (October 27, 2021). "NRA responds to reports of Grief ransomware attack". ZDNet . Archived from the original on October 28, 2021. Retrieved October 28, 2021.
  9. Van Sant, Will (November 3, 2021). "The NRA Paid a Gun Rights Activist to File SCOTUS Briefs. He Didn't Disclose it to the Court". The Trace . With contributions by Champe Barton. Archived from the original on November 3, 2021. Retrieved November 6, 2021.
  10. 1 2 Vavra, Shannon (November 1, 2021). "A Mysterious Network of Twitter Bots Promote Alleged NRA Hack". The Daily Beast . Retrieved November 3, 2021.
  11. Uchill, Joe (November 1, 2021). "As demo'd with NRA, 'information operations' may be new way to give ransomware victims Grief". SC Media . Archived from the original on November 1, 2021. Retrieved November 3, 2021.
  12. Lovelace, Ryan (November 1, 2021). "NRA's cyber problems multiplying in face of alleged hack". The Washington Times . Archived from the original on November 1, 2021. Retrieved November 6, 2021.
  13. 1 2 3 Gutowski, Stephen (November 11, 2021). "NRA Bank Account Information, Staff Social Security Numbers Leaked by Russian Hackers". The Reload . Archived from the original on November 11, 2021. Retrieved November 12, 2021.
  14. 1 2 Kutsch, Tom (November 12, 2021). "Daily Bulletin: Latest NRA Hack Reveals Sensitive Info From Organization, Personnel". The Trace . Archived from the original on November 12, 2021. Retrieved November 12, 2021.
  15. 1 2 3 Vavra, Shannon (October 27, 2021). "Russian Ransomware Gang Claims to Have Hacked the NRA". The Daily Beast . Retrieved October 28, 2021.
  16. 1 2 Cimpanu, Catalin (October 27, 2021). "Ransomware gang claims attack on NRA". The Record. Recorded Future. Archived from the original on October 27, 2021. Retrieved October 28, 2021.
  17. Ropek, Lucas (October 27, 2021). "The NRA Has Reportedly Been Hacked". Gizmodo . Archived from the original on October 28, 2021. Retrieved October 28, 2021.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.