The Hunters International cybercrime gang has launched a ransomware attack on the US subsidiary of an Australian shipbuilder that has contracts to build vessels for the US Navy.
Threat intelligence provider HackNotice issued its daily attack update on December 3, 2023, listing Austal USA, a subsidiary of Perth-based Austal, a ship-building company and defence prime contractor specialising in the design, construction and support of defence and commercial vessels.
Austal USA has several sensitive projects underway at its Mobile, Alabama shipyards, including the Littoral combat ship program and the Virginia class nuclear-powered submarine building program. The company is also gaining a foothold in the autonomous boat-building sector.
According to reports, the Hunters International .onion site says it will soon release 43 sample files comprising 87.2MB worth of data.
Taking over from the defunct ransomware group known as Hive, Hunters International is a Ransomware-as-a-Service (RaaS) group that has emerged in the last few months. After extracting data from target entities, the group subsequently issue those entities with a ransom demand in exchange for the return of the stolen data.
Hunters deploys some of the same coding and techniques as Hive, leading some cybersecurity analysts to conclude that the new ransomware group is simply a rebranding exercise, something Hunters International has denied. In January 2023, the FBI announced that it had been conducting a sustained disruption campaign against Hive and had passed on decryption keys to targeted entities before finally seizing Europe-based servers and websites used by the group.
In its initial attacks, Hunters International encryptor has appended the “.LOCKED” extension to target files. They also leave a plaintext file in directories named “Contact Us.txt.” That file provides the target entity with instructions to contact them via Tor using specific login details.
“Don’t waste time. Inform your CEO about the incident ASAP,” the instructions read.
Austal experienced its first ransomware attack five years ago after attackers acquired stolen login credentials on the darkweb. Austal later said it did not engage with the ransomware group and that no sensitive information was stolen.
However, the latest attack on the company comes at a sensitive time, with its US arm, usually a significant cash cow for the parent company, up for sale. Despite its extensive contracts with the US Navy, Austal’s US arm is performing poorly financially, and private equity buyers are circling, hoping they can turn the US operation around and tap into more US military revenue streams.
Austal USA benefits from a special security arrangement that allows it to work on sensitive US military projects despite its foreign ownership. However, any leak of sensitive information could have significant ramifications for both the company and the US Navy.
The US Navy declined to comment on the specific incident but said it remains concerned about the protection and potential loss of defense data. “We recognise the serious nature of evolving cyber threats and continuously bolster the department’s cybersecurity culture and awareness, along with our cyber defenses and information technology capabilities,” a spokesperson told MySecurityMedia. “This extends to all of our workforce and our partners in the defense industrial base.” Austal USA did not respond to a request for comment.
The US Department of Defense’s Federal Acquisition Regulations System that governs the acquisition and management of contracts requires contractors to report any cyberattacks within 72 hours.
Along with Austal USA, on the same day, Hunters International also targeted a Florida-based local government entity responsible for managing groundwater and surface water resources.