Cyber Incident Victim: Sol Oriens
Date:
May 2021
Location:
United States of America
Summary
A U.S. Department of Energy nuclear weapons subcontractor experienced a cybersecurity breach attributed to the REvil ransomware group, resulting in unauthorized access to internal documents. Compromised data included employee payroll information containing names, social security numbers, and quarterly pay details, alongside non-classified contracts and training materials bearing agency logos. The attackers publicly disclosed samples of exfiltrated files and threatened to share additional data with unspecified military entities, though no evidence indicated compromise of classified nuclear weapons information. The incident underscored security concerns involving contractors supporting critical national defense programs.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In May 2021, Sol Oriens, a U.S. Department of Energy (DOE) subcontractor supporting the National Nuclear Security Administration (NNSA) on nuclear weapons programs, detected a cybersecurity incident affecting its network. The Albuquerque-based company, which specializes in advanced military and space technology consulting, initiated an investigation and engaged a third-party forensic firm to determine the scope. By early June, the company’s website became inaccessible, and internal documents appeared on REvil’s dark web leak site. Stolen data included a September 2020 payroll form exposing employee names, Social Security numbers, and quarterly pay; a contracts ledger; and a training memo bearing DOE and NNSA Defense Programs logos. Sol Oriens publicly confirmed the breach in a statement circulated via CNBC on June 10, 2021, emphasizing no evidence of compromised classified or critical security-related information but committing to notify affected parties post-investigation. REvil, a ransomware-as-a-service group, claimed responsibility, threatening to share the data with “military agencies of our choise [sic]” and criticizing the subcontractor’s security measures for failing to protect employee data and software development information.
The incident raised concerns about the security posture of nuclear weapons supply chain contractors, given Sol Oriens’ role in projects like the W80-4 nuclear warhead program. REvil’s dark web post included screenshots of stolen documents and a taunting message asserting the gang’s “right” to disseminate the data. While the initially leaked materials appeared non-classified, the breach’s full scope remained under investigation, with no public confirmation of whether nuclear weapons-related secrets were accessed. The DOE declined to comment, and the FBI’s Albuquerque Field Office neither confirmed nor denied an investigation. The attack aligned with REvil’s pattern of high-profile targets, including a $11 million ransom payout from JBS Foods weeks earlier and a $50 million extortion attempt against Apple via supplier Quanta. Cybersecurity firm Sophos noted REvil affiliates often exploited vulnerabilities like exposed RDP services, brute-force attacks, or unpatched VPNs, though Sol Oriens’ specific attack vector was undisclosed. The company’s response focused on forensic analysis and regulatory compliance, with no disclosed ransom payment or data recovery timeline.