Cyber Incident Victim: Kimchuk Inc.
Date:
Mar 2020
Location:
United States of America
Summary
Kimchuk, a manufacturer of electronics for medical, military, and nuclear applications, experienced a ransomware attack by the DoppelPaymer group, resulting in data exfiltration and system encryption. The attackers published stolen files—including payroll records, purchase orders, and customer nuclear division order details—after the company refused payment. Although no classified information was identified in the leaked documents, the breach exposed sensitive operational and client-related data. The incident disrupted the manufacturer's systems and highlighted the group's tactic of withholding data theft disclosure unless victims engage with their payment portal.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Kimchuk, a Connecticut-based manufacturer producing electronics for medical equipment, telecoms systems, energy grids, and nuclear modules for the U.S. Navy, suffered a ransomware attack involving the DoppelPaymer strain on or around March 5, 2020. The attackers infiltrated the company's network, exfiltrated data, and encrypted files, disrupting operations and knocking systems offline. DoppelPaymer's operational model involved stealing sensitive information prior to encryption and threatening to publish it if ransoms remained unpaid. Forensic evidence from a directory of stolen files indicated the attack's timeline, with the most recent compromised file dated March 5. Published data included internal payroll records, broker approvals, purchase orders, and documents detailing order specifications from one of its customers' nuclear divisions. While no classified information was identified in the leaked files, the exposure of defense supply chain details raised concerns due to Kimchuk's role as a government contractor requiring security clearances.
The company declined to pay the ransom, prompting the DoppelPaymer group to publicly release portions of Kimchuk's data. TechCrunch's attempts to obtain comment from Kimchuk were met with non-cooperation, as CEO Jim Marquis directed human resources and operations personnel not to respond to inquiries. The U.S. Department of Defense also declined comment when contacted about the breach. This incident mirrored a prior DoppelPaymer attack against defense contractor Visser Precision, which similarly had data leaked after refusing payment. Security analysts noted DoppelPaymer's emergence in mid-2019, drawing techniques from earlier data-stealing ransomware like Maze but differing by omitting explicit data theft warnings in ransom notes. Victims only learned of data exfiltration upon visiting the payment portal. The breach highlighted risks to military supply chains, with experts emphasizing that ransomware incidents should be presumed to involve data compromise unless proven otherwise. Operational disruptions and reputational damage resulted from both the network encryption and subsequent data leaks.