This article is more than 1 year old

The latest REvil ransomware victim? Sol Oriens. Oh, a US nuclear weapons contractor

Company claims 'no current indication' top-secret data was plundered

The REvil ransomware gang, thought to be behind an attack on meat producer JBS which netted an impressive $11m payoff, has found another victim. Worryingly, this one works with the US Department of Defence on the nation's nuclear weapons programme.

According to a statement released by Sol Oriens, the company was hit by "a cybersecurity incident" in May 2021. "The investigation is ongoing," a company spokesperson confirmed, "but we recently determined that an unauthorised individual acquired certain documents from our system. Those documents are currently under review, and we are working with a third-party technological forensic firm to determine the scope of potential data that may have been involved."

Described as a "a small, veteran-owned consulting firm focused on managing advanced technologies and concepts with strong potential for military and space applications," Sol Oriens' links to the US nuclear weapons programme were revealed in a job posting for a "Senior Nuclear Weapons System Subject Matter Expert" on recruitment site Lensa, first spotted by CNBC correspondent Eamon Javers. Those applying were asked to hold a US Department of Defence Top Secret (TS) or the higher Q clearance.

Thus far, Sol Oriens has not stated - or, less generously, doesn't know - precisely what documents were leaked in the attack, but a spokesperson claimed the company has "no current indication that this incident involves client classified or critical security-related information."

A trio of sample documents published to the "Happy Blog," where offers for data captured during REvil-linked ransomware attacks are presented, showed a part of a presentation on recruiting, hiring, and training a contractor workforce at the Los Alamos National Lab marked "Official Use Only" by the US Department of Energy, financial details, and wage reports for five of the company's employees - complete with Social Security numbers.

Sharing proof of the stolen data is akin to sending a pinky in the mail of a kidnap victim

"Sol Oriens, LLC did not take all necessary action to protect personal data of their employees and software developments for partner companies," the perpetrators claimed in the posting. "We hereby keep a right to forward all of the relevant documentation and data to military angencies [sic] of our choise [sic], includig [sic] all personal data of employees."

Public disclosure of the attack came as nations attending the G7 summit called Russia out for allegedly harbouring ransomware gangs, asking the nation to "identify, disrupt, and hold to account those within its borders who conduct ransomware attacks, abuse virtual currency to launder ransoms, and other cybercrimes."

ESET UK cybersecurity expert Jake Moore commented: "Sharing proof of the stolen data is akin to sending a pinky in the mail of a kidnap victim. This extremely powerful group are renowned for getting what they want and with impressive results.

"However, when ransom demands are the favourable choice over a response and recovery plan, it is quite clear we are on a whole new level of disruption knocking over all kinds of organisations. Auctioning off the data proves the severity of the attack as well as highlighting the lack of time as a luxury into deciding what direction Sol Oriens will take in order to dictate their fate." ®

More about


Send us news

Other stories you might like