Electronic Warfare Associates (EWA), a well known defense contractor in DC, was hit by a ransomware attack. The tagline on the homepage of their website says that they are enabling a more secure future.
A Google search last week for the company brought up these results:
The researcher who discovered the problem said it seems to have affected, at least, EWA Government Systems Inc, EWA Technologies Inc. , Simplickey and Homeland Protection Institute.
EWA has not made any public announcement of the issue. As I write this, the EWATech web site does not respond.
The current information suggests this is the Ryuk ransomware. It is used for high value targets and is known to exfiltrate data. Exfiltrate is a big word for steal. Source: ZDNet
One more thing we know. When ZDNet called the company and spoke to their spokesperson asking for a comment on the story, he or she hung up on the reporter.
So what might we speculate?
You may remember that another Navy contractor lost over 600 gigabytes of very sensitive electronic warfare data (from project Seadragon) to the Chinese in 2018. Were the Chinese looking for more EW data? Certainly could be. That data is very valuable in building better offensive weapons (figuring out how to defeat our weapons) and building better defensive weapons (it is cheaper to steal it than to invent it).
The Navy went crazy after the Seadragon breach. This makes them look even more incompetent.
DoD contractors are required to notify the Pentagon within 72 hours of a breach. Assuming they followed the law, the Pentagon’s people (NSA, for example) could be all over this.
Much of the information that the government eventually classifies starts out as commercial research and isn’t classified until later. Which COULD mean that whoever hacked them was after high value, not-yet classified information.
All of this is speculation, but reasonable speculation.
Which brings us up to the Pentagon’s efforts to require defense contractors to get an independent, third party cybersecurity certification called CMMC. Would a certifier have discovered a problem which allowed this to happen? Assuming the Pentagon is in the middle of this investigation, we may never hear. But I bet folks are looking at the forensics right now.
But this certainly bolsters the logic behind the CMMC certification requirement. And it is on track for starting later this year.
For those of you who sell to the government – both civilian and military, this is just one more warning to protect your ass.ets.
And more ammunition for Katie Arrington (who runs the CMMC project).
Oh. One last thing.
The spokesperson who hung up on the media. That is a GREAT way to get even more media attention on the worst day of your career.
There is something called an Incident Response Plan. Part of an IRP is a Crisis Communications Plan.
Perhaps they should think about writing one. And training people.
PS – It is probably required by CMMC.