In July, the Adrastea threat actor group claimed that it had stolen up to 60GB of sensitive data from MBDA, an American missile company organized in Delaware which is currently the world’s second-largest missile manufacturer.
Upon publication of the stolen data, at the time on sale for (1) BTC on Russian forums, MBDA vehemently denied the claims. The company released several press reports saying that: “MBDA is refuting the alleged hacking, of the company’s information systems, and has filed a report with the police of an attempt to blackmail the company.” The series of statements went on to say that there was no hack, but rather information was stolen via hard drive, then posted on line.
Cyber-security researchers at CloudSEK, a contextual AI company specializing in predicting cyber threats, conducted a study that allowed them to obtain some of the stolen files.
CloudSEK confirmed that the stolen files included personally identifiable information (PII), standard operating procedures (SOPs) of NATO counterintelligence teams, and internal sketches of cabling diagrams of missile systems. According to the CloudSEK publication, information leaked included:
- Confidential PII of MBDA’s employees
- Military sketches
- Documents underlying NATO’s requirements
- SOPs describing NATO’s Intelligence functions
- Employees who took part in the closed Military projects of MBDA (PLANCTON, CRONOS, CA SIRIUS, EMADS, MCDS, B1NT, etc.)
- Documentation of activities tying the MBDA to the Ministry of Defense of the European Union including:
- Drawings and presentations
- Video and 3D photo materials
- Design documentation of the air defense, missile systems of coastal protection
- Contract agreements and correspondence with the other players in the defense industry such as Rampini Carlo, Netcomgroup, Rafael, Thales, ST Electronics, etc.
While CloudSEK classified the security lapse as an “Unpatched Security Vulnerability “, it did not publish whether the information system itself was hacked or if the company’s story regarding the hard drive was to blame. Either way, this volume of information concerning a NATO arms manufacturer being up for sale to the highest bidder is troubling and showcases the need for stronger cyber safeguards among government contractors. CloudSEK also made the recommendation for companies to monitor ransomeware forums in order to observe prevalent tactics and procedures used by these criminals.