Cyber Incident Victim: National Rifle Association
Date:
Oct 2021
Location:
United States of America
Summary
The National Rifle Association was targeted by the Grief ransomware gang, which leaked stolen data including tax documents, investment records, and grant applications as proof of the attack. The organization declined to confirm or comment on the incident but emphasized its commitment to safeguarding member and operational information. Grief is associated with the Russian-linked Evil Corp cybercrime group, known for evolving ransomware strains like DoppelPaymer and WastedLocker to evade U.S. sanctions following OFAC designations; this connection complicates potential ransom negotiations due to regulatory restrictions on payments to sanctioned entities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On October 27, 2021, the Grief ransomware gang claimed responsibility for a cyberattack targeting the National Rifle Association (NRA). The group listed the NRA as a victim on their data leak site and published evidence to support their claims, including screenshots of Excel spreadsheets containing U.S. tax information and investment records. They also leaked a 2.7 MB archive titled "National Grants.zip," purported to contain NRA grant applications. BleepingComputer contacted the NRA multiple times for comment, including speaking directly to the organization’s Director of Communications, Amy Hunter, but received no immediate response. Later that day, the NRA issued a public statement through Andrew Arulanandam, managing director of NRA Public Affairs, declining to confirm or deny the incident. The statement emphasized that the organization does not discuss matters related to its physical or electronic security but asserted that it takes "extraordinary measures" to protect member, donor, and operational data.
The Grief ransomware operation has been linked by security researchers to Evil Corp, a Russian cybercrime group active since 2009. Evil Corp initially gained notoriety for distributing the Dridex banking trojan and later pivoted to ransomware operations, launching BitPaymer in 2017 and its successor, DoppelPaymer, in 2019. Following U.S. Department of Justice indictments against its members in 2019 for stealing over $100 million and subsequent sanctions by the Office of Foreign Assets Control (OFAC), Evil Corp began rebranding its ransomware strains to evade restrictions. Grief emerged in June 2021 as one such rebrand, with technical ties to earlier Evil Corp malware. The OFAC sanctions complicate potential ransom negotiations for victims like the NRA, as facilitating payments to sanctioned entities could expose negotiators or victims to civil penalties. The NRA did not disclose whether data theft occurred beyond the samples leaked by Grief, nor did it reveal any operational disruptions, containment measures, or recovery efforts related to the incident.