Visser Precision, a precision parts contract manufacturer based in Denver, Colorado, has confirmed a “cybersecurity incident”.
Visser makes parts for the likes of Tesla, Space X, Boeing and defense contractor Lockheed Martin.
The ransomware was DoppelPaymer, is one of the Ransomware 2.0 variants that steal the data before they encrypt it. Some of that data is available for download on the hacker’s website to prove that they stole the data.
One of the documents appears to be a partial schematic for a missile antenna.
THAT MEANS THAT THIS QUALIFIES AS A DATA BREACH.
While Tesla, SpaceX and Boeing did not respond to requests for comment, Lockheed said that they were “aware of the situation”.
Source: Tech Crunch
Lockheed, as a defense contractor, is required to notify the Department of Defense within 72 hours of a breach in most cases. We assume Lockheed did that. That requirement flows down to all subcontractors like Visser. DoD can then decide what next steps are appropriate. In this case, since it appears that sensitive information was actually stolen from Visser, DoD will, most likely, investigate.
As of about a month ago, DoD released version 1.0 of it’s Cybersecurity Capability Maturity Model (CMMC), a framework for improving the security of defense contractors. DoD has not, however, started implementing it. The program requires everyone who sells to the DoD, from cafeteria operators to lawn care firms to companies building missiles, to adhere to a range of cybersecurity standards and be certified by a third party to ensure compliance.
DoD is actually moving very rapidly for a government entity with 1.4 million active duty personnel, 1.1 million reservists and 860,000 civilians. It took them less than a year to define and approve the standard and they hope to have some contracts with the CMMC requirement in place this calendar year. That means that they have to train the assessors, approve the certifiers and issue the contracts.
No one has announced whether this attack was done by the Chinese, Russians, North Koreans or a 400 pound teenager in his parent’s basement. With no information, I vote for the first one.
DoD says that, for contracts that have CMMC requirements, vendors will not be allowed to BID on the contract if they do not have the appropriate CMMC certifications already in place.
This is definitely motivating companies like Lockheed and breaches like the one at Visser, whom Lockheed vetted and approved the security of, only make them more motivated.
If you serve the defense industry, now is the time to get prepared because it will take some time and effort.