LockBit ransomware gang allegedly leaks MoD data after hit on supplier

The LockBit ransomware operation has leaked a tranche of data purloined from the UK’s Ministry of Defence (MoD) after an attack on a company called Zaun, a West Midlands-based supplier of metal fencing products that has supplied some of the UK’s key installations, thought to include the Porton Down research unit in Wiltshire and the Faslane nuclear submarine base in Scotland.

According to the Mirror, which was first to report the story, the data dump includes sales orders relating to both of the above named sites, and allegedly details of equipment used at GCHQ’s Bude satellite ground station and network monitoring site, RAF Waddington in Lincolnshire, which operates the Reaper drones used in Afghanistan and Syria, and Cawdor Barracks in South Wales, currently home to the 14th Signal Regiment of electronic warfare specialists.

Writing on X, formerly known as Twitter, Labour MP Kevan Jones, who sits on the cross-bench Defence Committee, said: “This is potentially very damaging to the security of some of our most sensitive sites. The government needs to explain why systems were so vulnerable.”

Zaun initially appeared on LockBit’s leak site in mid-August, having initially compromised its systems on or around 5 August. The data concerned appeared online on Friday 1 September, indicating that the victim either never entered negotiations with the gang, or that negotiations had broken down.

Zaun described the LockBit attack as a “sophisticated cyber attack”. It said that while its systems had otherwise been fully up-to-date, its investigation identified a “rogue Windows 7 PC” that was running software for one of its manufacturing machines.

It said that at the time, its security systems prevented its locker from encrypting its data, and that it had been able to continue its work uninterrupted. However, it has since discovered that LockBit was able to exfiltrate approximately 10GB of data, or 0.74% of its stored total.

“LockBit will have potentially gained access to some historic emails, orders, drawings and project files, we do not believe that any classified documents were stored on the system or have been compromised,” said the organisation in a statement.

“We are in contact with relevant agencies and will keep these updated as more information becomes available. This is an ongoing investigation and as such subject to further updates.

“The National Cyber Security Centre (NCSC) has been contacted and we are taking their advice on this matter. The ICO has been contacted as well with regards to the attack and data leak.”

The company added: “Zaun is a manufacturer of fencing systems and not a government-approved security contractor. As a manufacturer of perimeter fencing, any member of the public can walk up to our fencing that has been installed at these sites and look at it.

“Zaun is a victim of a sophisticated cyber attack and has taken all reasonable measures to mitigate any attack on our systems,” the firm claimed.

SonicWall EMEA vice-president Spencer Starkey said the incident highlighted growing global concerns over cyber threats to government agencies. He said it was clear that Russia-based or -backed threat actors were clearly targeting the supply chains of government and security agencies to disrupt their work.

“In a divisive landscape, we’re seeing a continued geo-migration of threats, and governments are under constant cyber threat. These cyber attacks raise concerns about a country’s own national security, critical national infrastructure as well as the safety of sensitive information,” said Starkey.

“Protecting government networks relies on constant communication and cooperation, working together with the private sector and imposing strict punishments on the hackers responsible to deter future attacks.”

An MoD spokesperson told Computer Weekly the department does not comment on security matters.

This article was updated at 17:05 BST on Monday 4 September to incorporate a response from the MoD.