The NRA has found itself in the middle of a potential breach and ransomware attack. This happened last week after the Russian hacking group Greif reportedly gained access. Greif has close ties to Evil Corp (another advanced hacking group currently sanctioned by the US) or may even just be the same group rebranded. Grief posted proof of their attack in the form of several documents they claim to have stolen from the NRA’s systems. At this time, we don’t know how much the group accessed and if they were limited to a regional office or had access to a national office.
After an initial investigation into the breach, we downloaded a sample from the group of the data they retrieved. A few days later while reviewing the data we found Greif had removed all references to the NRA from its dark web website for some reason. This usually happens because someone has paid for the data to be removed. Either the NRA has, or someone bought the data in an exclusive contract. We had time to save the data before they removed it.
Some documents included a Tax ID and payment information to different groups. Most documents included how much they donated to groups and some tax documents. The NRA did make a statement on Twitter that they “the NRA takes extraordinary measures to protect information regarding its members, donors, and operations…”
“NRA does not discuss matters relating to its physical or electronic security. However, the NRA takes extraordinary measures to protect information regarding its members, donors, and operations – and is vigilant in doing so.”–Andrew Arulanandam, managing dir., NRA Public Affairs
— NRA (@NRA) October 27, 2021
Greif has plenty of motivation for this hack besides monetary. The US has recently banned the import of Russian ammunition, and this could be a misguided political attack. More likely though, after the FBI and MI5 takedown of REvil, many Russian groups responded with angry threats of cyberattacks. Protecting yourself from these threats means keeping your network secure but also keeping a backup of your data to have the ability to recover from a ransomware attack.