The disclosure of a breach exposing data on over 225,000 UK military personnel underscores the global security risks associated with external contractors to defense entities.
The exposure, which came to light just this week, stemmed from a threat actor accessing the names, bank account details, and other information for current, former, and reserve members of the British Army, Naval Service, and Royal Air Force from a company handling payroll services for the UK Ministry of Defence (MoD).
External Contractor at Fault
The BBC and other UK media outlets identified the external contractor as Shared Services Connected Ltd and say the breached payroll system contains information on military personnel going back several years. In comments to Members of Parliament, the UK’s Secretary of State for Defence Grant Shapps identified the attack as the work of a “malign actor” that was very likely nation-state backed. While some senior government officials pointed to China as the most likely suspect, Shapps himself stopped short of pinning the attack on anyone by name.
Instead, he blamed the third-party contractor for not doing enough to protect its systems against attack. Malign actors gained access to a part of the armed forces payment network via an external system that is completely separate from the MoD core network and not connected to the main military HR system, Shapps said. “It is operated by a contractor, and there is evidence of potential failings by them which may have made it easier for the malign actor to gain entry,” he emphasized. Shapps added that the UK government has initiated a special security review of the contractor and their operations.
The latest incident marks the second time in less than one year that an external contractor was responsible for exposing data related to the UK military. Last August, the LockBit ransomware gang managed to steal some 10GB of data from Zaun, a company that provides mesh-fencing services for UK military facilities. Zaun described the breach as the result of a rogue Windows 7 system on its network. The company claimed LockBit actors accessed a system that contained “historic emails, orders, drawings, and project files” but no classified information or military secrets.
Supply Chain Risks in the Defense Sector
Breaches like these highlight the vulnerable underbelly that external contractors present to attackers who want to target military and defense data and systems. In June 2023, Adlumin reported on a threat actor dropping a novel backdoor called PowerDrop on systems belonging to at least one US defense contractor. And last month, the US government released details on a multiyear effort by Iranian cyberspies to steal US military secrets by targeting employees at defense contracting firms who have high-level security clearances.
Eric Noonan, CEO of CyberSheath, says third-party contractors that work with the military are an attractive target because these organizations often overlook vital security measures. “In the US, there has been over a decade-long fight by the DoD to force minimum security standards on third-party contractors through its [Cybersecurity Maturity Model Certification] program,” he says. “But until contractors are faced with losing out on contracts due to poor security, I don’t expect much will change.”
Noonan points to research CyberSheath conducted last year that showed a high percentage of the Defense Industrial Base not having basic cybersecurity controls in place and putting the entire Pentagon supply chain at risk. For instance, 81% of the contractors in CyberSheath’s study did not have a formal vulnerability management system; 75% did not implement multifactor authentication; and 75% did not have a back-up plan.
A May 2022 study by Black Kite of the top 100 US defense contractors uncovered similar issues: 72%, for instance. had experienced at least one leaked credential in the preceding 90 days; 32% were vulnerable to ransomware attacks; and 17% were using out-of-date — and therefore unsupported — systems.
Time for Mandatory Minimum Standards?
“Industries like defense and other critical infrastructure sectors must be regulated to implement mandatory minimum cybersecurity standards,” Noonan says. “The private companies operating in these sectors haven’t made the required investments in cybersecurity, and they won’t, unless it’s forced through regulation like CMMC.”
Stephen Gates, principal security SME at Horizon3.ai, says third-party cyber risk has generally never been higher. “It’s one of the reasons why organizations are now nearly mandating their third-party suppliers perform continuous cyber-risk assessments of their own infrastructures to ensure they are not transferring their risk to others — especially their buyers.”
The challenge for organizations is how to execute continuous cyber assessments. Checkbox self-assessment exercises and external penetration testing that test merely a small portion of the network have been largely unsuccessful, Gates says. “Therefore, initiatives are surfacing, which are all calling for increases in continuously assessing cyber risk,” he says.
As examples, Gates points to an initiative the US Navy launched in November 2023 to provide realistic cyber assessments via automated and manual testing of security protections, and another from the US DoD called the Cyber Operational Readiness Assessment (CORA) program.
