Cyber Incident Victim: Communications & Power Industries
Date:
Jan 2020
Location:
United States of America
Summary
A defense contractor specializing in military electronics suffered a ransomware attack that severely disrupted operations. The incident began when a privileged user clicked a malicious link, allowing the malware to rapidly propagate across the company's unsegmented network and encrypt files, including on-site backups. The organization paid approximately $500,000 to obtain a decryption key, recovering some systems containing sensitive military data, but remained largely non-operational weeks later with only a fraction of computers restored. Recovery efforts involved reinstalling operating systems across affected devices, complicated by outdated infrastructure including unsupported Windows XP machines. The attack exposed vulnerabilities in the supply chain and highlighted risks to critical defense-related data.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around January 15, 2020, Communications & Power Industries (CPI), a California-based defense contractor manufacturing components for military radar, missile seekers, and electronic warfare systems, suffered a ransomware attack that disrupted operations. The incident began when a domain administrator with elevated network privileges clicked a malicious link while logged into the system, triggering file-encrypting malware. Due to CPI’s unsegmented network architecture, where thousands of computers shared the same domain, the ransomware rapidly propagated across all company offices, including on-site backups. The company paid an approximate $500,000 ransom shortly after the attack to obtain a decryption key, though recovery efforts remained incomplete as of late February 2020. Forensic investigations confirmed the compromise of systems containing sensitive military data, including files related to the Aegis naval weapons system developed by Lockheed Martin.
By the end of February 2020, only about 25% of CPI’s computers were operational, with recovery hampered by staffing shortages and technical challenges. Systems running outdated Windows XP software, which lacked security updates since 2014, were among the approximately 150 machines requiring operating system reinstallation. CPI engaged a third-party forensic firm to investigate the breach and notified law enforcement, governmental authorities, and customers, though the company declined to disclose the ransomware variant or provide additional details. Lockheed Martin acknowledged monitoring the situation through its supply chain incident response protocols. The attack exemplified broader ransomware trends, where attackers increasingly exfiltrate data prior to encryption, though CPI’s case primarily involved operational disruption rather than confirmed data theft. Recovery efforts focused on manual system rebuilding and selective decryption of critical military data using the obtained key.