The LockBit ransomware group has breached Zaun, a UK-based manufacturer of fencing systems for military sites and critical utilities, by compromising a legacy computer running Windows 7 and using it as an initial point of access to the wider company network.
The Zaun breach
The company said that the “sophisticated” cyberattack occurred on the 5th – 6th August.
“In an otherwise up-to-date network, the breach occurred through a rogue Windows 7 PC that was running software for one of our manufacturing machines. The machine has been removed and the vulnerability closed,” the company said.
“At the time of the attack, we believed that our cyber-security software had thwarted any transfer of data. However, we can now confirm that during the attack LockBit managed to download some data, possibly limited to the vulnerable PC but with a risk that some data on the server was accessed. It is believed that this is 10 GB of data, 0.74% of our stored data. LockBit will have potentially gained access to some historic emails, orders, drawings and project files, we do not believe that any classified documents were stored on the system or have been compromised.”
Zaun says that its cybersecurity staff prevented the server storing the data from being encrypted, so their work continued as normal.
Some of the stolen data was later leaked by LockBit on the dark web and, according to the Daily Mirror, among it were “thousands of pages of data which could help criminals get into the HMNB Clyde nuclear submarine base, the Porton Down chemical weapon lab and a GCHQ listening post.”
But the company says that full details of all their fencing products are publicly available on their website. “As such it is not considered that any additional advantage could be gained from any compromised data beyond that which could be ascertained by going to look at the sites from the public domain. As a manufacturer of perimeter fencing, any member of the public can walk up to our fencing that has been installed at these sites and look at it.”
Zaun has informed the West Midlands Regional Cyber Crime Unit, the National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO) about the attack and data breach (and leak).
“This is an ongoing investigation and as such subject to further updates,” the company noted.
The (in)security of legacy systems
Mainstream support for Windows 7, released in 2009, has ended on January 13, 2015. Extended support ended on January 14, 2020, and security updates were only available until January 10, 2023 (for Professional and Enterprise volume licensed editions).
Legacy systems are inevitable in the manufacturing industry since upgrading can be costly. Also, some manufacturing machines are incompatible with newer operating systems, so these systems can be replaced only when the machines they are connected to are replaced as well.
Legacy IT systems should be isolated from the wider enterprise network and the internet, and access to them should be limited to specific individuals (in specific scenarios) and constantly monitored.