2021 National Rifle Association ransomware attack

On October 21, 2021, the Federal Bureau of Investigation hacked and shut down REvil, a major hacking organization involved in ransomware scams. In response, other ransomware groups shared anti-United States messages on the dark web.{{Cite web|last=Collier|first=Kevin|date=October 27, 2021|title=Cybercriminals claim to have hacked the NRA|url=https://www.nbcnews.com/tech/security/cybercriminals-claim-hacked-nra-rcna3929|url-status=live|access-date=2021-10-27|website=NBC News|language=en|archive-url=https://web.archive.org/web/20211027181716/https://www.nbcnews.com/tech/security/cybercriminals-claim-hacked-nra-rcna3929 |archive-date=October 27, 2021 }}{{Cite web|last=Collier|first=Kevin|date=October 22, 2021|title=Ransomware hackers nervous, allege harassment from U.S.|url=https://www.nbcnews.com/tech/security/ransomware-hackers-nervous-allege-harassment-us-rcna3637|url-status=live|access-date=2021-10-27|website=NBC News|language=en|archive-url=https://web.archive.org/web/20211022232314/https://www.nbcnews.com/tech/security/ransomware-hackers-nervous-allege-harassment-us-rcna3637 |archive-date=October 22, 2021 }}

Prior to the ransomware attack, the National Rifle Association had been involved in multiple legal disputes, which Recorded Future analyst Allan Liska argued may have made them an easier target for cyberattacks as attention within the organization was pulled away from their security.{{Cite web|last=Miller|first=Maggie|date=2021-10-27|title=NRA hit by Russian-linked ransomware attack: reports|url=https://thehill.com/policy/cybersecurity/578767-nra-hit-by-russian-linked-ransomware-attack-reports|url-status=live|access-date=2021-10-27|website=The Hill|language=en|archive-url=https://web.archive.org/web/20211027195741/https://thehill.com/policy/cybersecurity/578767-nra-hit-by-russian-linked-ransomware-attack-reports |archive-date=October 27, 2021 }}

File:NRA Virginia HQ.jpg]]

On October 27, 2021, Grief published 13 documents on their website as part of a ransomware scam, attributing them as internal documents belonging to the NRA and claiming to have hacked the organization.{{Cite web|last=Stieb|first=Matt|date=2021-10-27|title=Russian Cybercriminals Claim to Have Hacked the NRA|url=https://nymag.com/intelligencer/2021/10/russian-cybercriminals-claim-to-have-hacked-the-nra.html|url-status=live|access-date=2021-10-27|website=New York|language=en-us|archive-url=https://web.archive.org/web/20211027225438/http://nymag.com/intelligencer/2021/10/russian-cybercriminals-claim-to-have-hacked-the-nra.html |archive-date=October 27, 2021 }} As reported in Wired, the hack likely took place within the week prior to the release of documents. The group threatened to release more files if the ransom (an undisclosed amount of money) was not paid.

An anonymous person with direct knowledge of the events at the NRA told Associated Press that the group had been having issues with its email system in the week prior to the publication of files by Grief, which is a potential indicator of a ransomware attack.{{Cite web|last=Tucker|first=Eric|date=2021-10-27|title=Ransomware gang says it targeted National Rifle Association|url=https://apnews.com/article/technology-business-europe-russia-united-states-8e2e6ead27e80e79482caf54111b4c3d|url-status=live|access-date=2021-10-28|website=Associated Press|language=en|archive-url=https://web.archive.org/web/20211027205237/https://apnews.com/article/technology-business-europe-russia-united-states-8e2e6ead27e80e79482caf54111b4c3d |archive-date=October 27, 2021 }} On October 28, The Register reported that it was unknown whether the hack had targeted the headquarters of the NRA or one of its local branches.{{Cite web|last=Dobberstein|first=Laura|date=October 28, 2021|title=Grief ransomware gang strikes again, claims it hit the NRA|url=https://www.theregister.com/2021/10/28/grief_ransomware_gang_nra/|url-status=live|access-date=2021-10-28|website=The Register|language=en|archive-url=https://web.archive.org/web/20211028114135/https://www.theregister.com/2021/10/28/grief_ransomware_gang_nra/ |archive-date=October 28, 2021 }}

The leaked files included the minutes from an NRA board meeting that occurred shortly before the release of documents as well as multiple files related to grants.{{Cite web|last=Greig|first=Jonathan|date=October 27, 2021|title=NRA responds to reports of Grief ransomware attack|url=https://www.zdnet.com/article/nra-responds-to-reports-of-grief-ransomware-attack/|url-status=live|access-date=2021-10-28|website=ZDNet|language=en|archive-url=https://web.archive.org/web/20211028000219/https://www.zdnet.com/article/nra-responds-to-reports-of-grief-ransomware-attack/ |archive-date=October 28, 2021 }} The Trace reported that one document appeared to be a late 2019 grant application made to the NRA by David Kopel on behalf of the Independence Institute for $267,000, with $248,500 earmarked as Kopel's salary. Kopel has repeatedly filed amicus briefs supporting the NRA in court, and has not disclosed a financial connection to the organization.{{Cite web|last=Van Sant|first=Will|date=2021-11-03|others=With contributions by Champe Barton|title=The NRA Paid a Gun Rights Activist to File SCOTUS Briefs. He Didn't Disclose it to the Court.|url=https://www.thetrace.org/2021/11/scotus-nra-foundation-david-kopel-nysrpa-v-bruen-documents/|url-status=live|access-date=2021-11-06|website=The Trace|language=en-us|archive-url=https://web.archive.org/web/20211103151403/https://www.thetrace.org/2021/11/scotus-nra-foundation-david-kopel-nysrpa-v-bruen-documents/ |archive-date=November 3, 2021 }}

After the ransomware attack was announced by Grief, hundreds of Twitter accounts that had all been created in August and September 2021 shared tweets about the attack. Most of the accounts had feminine names, and the majority used the default Twitter profile photo while others used pictures that appeared to be taken from the online dating services Shuri-Muri or Tralolo. Some of the same accounts had previously posted about an earlier ransomware attack by Grief or about the NRA, gun violence, or Nazis.{{Cite news|last=Vavra|first=Shannon|date=2021-11-01|title=A Mysterious Network of Twitter Bots Promote Alleged NRA Hack|language=en|work=The Daily Beast|url=https://www.thedailybeast.com/a-mysterious-network-of-twitter-bots-promote-alleged-nra-hack|access-date=2021-11-03}} {{As of|2021|November|1|df=US}}, it was unclear whether there was a connection between Grief and the network of Twitter accounts.{{Cite web|last=Uchill|first=Joe|date=2021-11-01|title=As demo'd with NRA, 'information operations' may be new way to give ransomware victims Grief|url=https://www.scmagazine.com/analysis/ransomware/as-demod-with-nra-information-operations-may-be-new-way-to-give-ransomware-victims-grief|url-status=live|access-date=2021-11-03|website=SC Media|archive-url=https://web.archive.org/web/20211101220708/https://www.scmagazine.com/analysis/ransomware/as-demod-with-nra-information-operations-may-be-new-way-to-give-ransomware-victims-grief |archive-date=November 1, 2021 }}

On October 29, Grief removed the documents attributed to the NRA from the dark website where they had been published. Brett Callow, a threat analyst employed by Emsisoft, noted that while the delisting of the NRA on the website could mean that the organization paid the ransom, there were additional possibilities; it could also indicate that the NRA had entered into negotiations with Grief or that the ransomware group had chosen to remove the documents because they had drawn too much law enforcement attention. However, on November 1, The Washington Times reported that Callow had published a screenshot showing that documents attributed to the NRA were again visible on the Grief website.{{Cite web|last=Lovelace|first=Ryan|date=November 1, 2021|title=NRA's cyber problems multiplying in face of alleged hack|url=https://www.washingtontimes.com/news/2021/nov/1/nras-cyber-problems-multiplying-face-alleged-hack/|url-status=live|access-date=2021-11-06|website=The Washington Times|language=en-US|archive-url=https://web.archive.org/web/20211101200236/https://www.washingtontimes.com/news/2021/nov/1/nras-cyber-problems-multiplying-face-alleged-hack/ |archive-date=November 1, 2021 }}

On November 11, The Reload reported that Grief had published more internal documents the previous day, stating that these new documents included bank account information of the organization as well as information about specific employees including Social Security numbers and home addresses. The outlet additionally reported that the authenticity of the leaked documents had been confirmed by "six current and former NRA officials" including one individual whose personal information was exposed in the leak, who was not aware of its existence prior to being contacted by The Reload.{{Cite web|last=Gutowski|first=Stephen|date=2021-11-11|title=NRA Bank Account Information, Staff Social Security Numbers Leaked by Russian Hackers|url=https://thereload.com/nra-bank-account-information-staff-social-security-numbers-leaked-by-russian-hackers/|url-status=live|access-date=2021-11-12|website=The Reload|language=en-US|archive-url=https://web.archive.org/web/20211111145018/https://thereload.com/nra-bank-account-information-staff-social-security-numbers-leaked-by-russian-hackers/ |archive-date=November 11, 2021 }}{{Cite web|last=Kutsch|first=Tom|date=November 12, 2021|title=Daily Bulletin: Latest NRA Hack Reveals Sensitive Info From Organization, Personnel|url=https://www.thetrace.org/newsletter/latest-nra-hack-reveals-sensitive-organization-staff-info/|url-status=live|access-date=2021-11-12|website=The Trace|language=en-us|archive-url=https://web.archive.org/web/20211112171405/https://www.thetrace.org/newsletter/latest-nra-hack-reveals-sensitive-organization-staff-info/ |archive-date=November 12, 2021 }}

Also on November 10, Grief moved the NRA-related documents on its website from a section indicating hacks in progress to a different one indicating that it had been completed. No explanation was provided.

A Russian hacker group known as Grief was responsible for the ransomware scam. The group first became active in May 2021.{{Cite news|last=Vavra|first=Shannon|date=2021-10-27|title=Russian Ransomware Gang Claims to Have Hacked the NRA|language=en|work=The Daily Beast|url=https://www.thedailybeast.com/russian-ransomware-grief-gang-claims-hack-nra|access-date=2021-10-28}} NBC News reported that computer security experts believe that Grief is a rebrand of the Russian group Evil Corp. Evil Corp has been linked to ransomware attacks on Sinclair Broadcast Group as well as hundreds of financial entities across more than 40 countries. In 2019, action against the group including sanctions was taken by multiple United States federal agencies; it is subject to sanctions by the United States Department of the Treasury.{{Cite web|last=Cimpanu|first=Catalin|date=2021-10-27|title=Ransomware gang claims attack on NRA|url=https://therecord.media/ransomware-gang-claims-attack-on-nra/|url-status=live|access-date=2021-10-28|website=The Record|publisher=Recorded Future|language=en|archive-url=https://web.archive.org/web/20211027172220/https://therecord.media/ransomware-gang-claims-attack-on-nra/ |archive-date=October 27, 2021 }} Experts have additionally theorized that Grief is a rebrand of DoppelPaymer, another ransomware group associated with Evil Corp.{{Cite web|last=Ropek|first=Lucas|date=October 27, 2021|title=The NRA Has Reportedly Been Hacked|url=https://gizmodo.com/the-nra-has-reportedly-been-hacked-1847948727|url-status=live|access-date=2021-10-28|website=Gizmodo|language=en-us|archive-url=https://web.archive.org/web/20211028004214/https://gizmodo.com/the-nra-has-reportedly-been-hacked-1847948727 |archive-date=October 28, 2021 }}

On October 27, 2021, the NRA tweeted a statement by its managing director of public affairs Andrew Arulanandam. The statement said that the NRA does not discuss its security, but that the group "takes extraordinary measures to protect information regarding its members, donors, and operations". The NRA declined requests for further comment by The Hill and requests for comment by NBC. The Daily Beast reported that an email to the NRA spokesperson had returned an error message, potentially indicating that the organization's email server was offline, and that spokesperson Amy Hunter declined to comment after being reached by phone.

{{As of|2021|October|27|df=US}}, it was unclear whether the NRA had any plans to pay the ransom. Because of the link between Grief and EvilCorp, which is sanctioned by the United States Treasury, the NRA would need the permission of the Treasury to transfer ransom money to Grief; doing so without permission could lead to the imposition of penalties.{{Cite magazine|last=Newman|first=Lily Hay|date=October 29, 2021|title=An Apparent Ransomware Hack Puts the NRA in a Bind|language=en-US|magazine=Wired|url=https://www.wired.com/story/nra-ransomware-hack-sanctions-payment/|access-date=2021-11-01|issn=1059-1028}}{{Clarify|date=November 2021}}

{{As of|2021|October|29|df=US}}, the NRA had not confirmed that they had been hacked or targeted by a ransomware scam, nor had they confirmed the validity of the documents released by Grief. They did not respond a request for comment from Wired asking whether they were negotiating with Grief or had paid the ransom.

{{As of|2021|November|11|df=US}}, the NRA had made no further official comment about the ransomware attack. The organization's response to the attack remained unclear. The Reload reported that multiple current and former NRA officials had confirmed the authenticity of the leaked documents, while NRA board member Phillip Journey told the outlet that the lack of information from NRA staff was "disconcerting" and asked "who knows how far it went, what they have, and what they could still sell?"

On October 28, The Register reported that the hack had generated an amused reaction on the Internet, suggesting that targeting the NRA may be more popular with the public than hacking government, school, and healthcare facilities as Grief historically has done.

{{Reflist|2}}

{{Hacking in the 2020s}}

Category:Data breaches in the United States

National Rifle Association ransomware attack

National Rifle Association ransomware attack

Category:National Rifle Association