In the early afternoon of January 17, the criminal gang LockBit 2.0 announced the publication of Thales data on the Dark Web, an electronics multinational, as it had threatened to do in case of non-payment of the requested ransom. Now 1320 files apparently the result of a computer raid to the detriment of the large French group are visible to all. And it is data relating to space projects.
No details have been disclosed about this incident by Thales Group. Despite our requests, the company’s press office let us know that Thales has no statement to make and that Thales Alenia Space is no stranger to what happened.
However, in consideration of the evidence acquired and analyzed by the experts, it is possible to affirm with a certain degree of confidence that the operation carried out by the LockBit 2.0 criminal group impacted the company’s infrastructure in order to allow criminals to acquire credentials, data and sensitive information. Considering the sector in which it operates, security, transport and communications, industrial relations and the material handled by the company, it is possible to think of important repercussions on the confidentiality of numerous projects in the military, defense and space sectors.
Cybercrime and the ugly 2022 that awaits us
by Arturo Di Corinto
It was January 1st when ThalesGroup appeared in the list of intruding companies on the LockBit 2.0 ransomware gang site. A gang notorious for being the author of numerous attacks on Italian targets since the summer of 2021 and sadly known because whenever he threatened the publication of files and documents, he always did.
In reference to the article published by Italian Tech on January 4, 2022 in which we anticipated the news, the Thales press office had written to us: “We are aware of a statement of a LockBit ransomware attack targeting data potentially belonging to Thales Group. While we have not received any direct ransom notice, we are taking this as yet unsubstantiated claim seriously, whatever its source, and a dedicated team of security experts is currently investigating the situation. There is no material evidence of this attack at this stage, however we continue to investigate, as the security of our data remains a key priority ”.
Waiting for Learn more about Thales’ intelligence work we also tried to contact LockBit with no success. But it is precisely these days ago the news that the criminals have published on their blog on the dark web the data stolen from Bricofer and the Asl Euganea of Padua, and in their game bag there are others large and small companies such as Accenture, Erg, Acquazzurra Firenze, GiCinque Srl, Officine Lozza and others.
This time, however, the prey is large. Thales is an international group specializing in aerospace, defense, security and land transport that it has turnover 17 billion euros in 2020 and operates in Italy through Thales Alenia Space, a joint venture between Thales (67%) and Leonardo / Finmeccanica (33%), which has around 2,300 employees and four sites, in Rome, Turin, L’Aquila and Milan. Thales Alenia Space has just received the commission from Intelsat for build two new satellites, Intelsat 41 and Intelsat 44, for a value between 200 and 300 million euros.
Second the engineer Emanuele de Lucia, “From preliminary analyzes it seems that the data released by the LockBit group refer to projects present in GitHub. Among these there is at least one project relating to a platform used for the management of space operations, developed and implemented to represent the information obtained from orbital propagation transmitted by satellites in space. Repositories appear to belong to projects completed and already fully in operation. The projects appear to clearly expose intellectual property regarding the stack of technologies used for the application and management of satellite communications ”.
But how do you know? We ask De Lucia who tells us: “When they are announced notable victims, as in this case, it is the practice of companies that deal with cyber intelligence to carry out targeted investigations aimed at assessing the cyber risk of the affected company in order to obtain a range of information on which to validate or deny what is asserted by the criminals and to evaluate or not as truthful a potential intrusion scenario “.
The group to which De Lucia belongs, Cluster 25, Cyber Intelligence Research Unit of DuskRise, specialized in the analysis of cyber-threats, has produced an internal report which, however, is not yet public and “can only be used for the extraction of partial contents and not in its entirety”. In report, which we could read, there is talk of a major theft of intellectual property.
According to some sources the ransom demanded would have been $ 1 million, which for a reality of Thales’ size seems to be a modest figure. According to the professor of the University of Bologna Michele Colajanni, when this happens “it can depend on two reasons: the affiliates who manage the negotiations are inexperienced or the stolen information is not so important”.
In any case, we still don’t know how it would have happened. For De Lucia “it is difficult to reconstruct with certainty what vulnerability the attackers exploited exclusively on the basis of external visibility to the perishing affected as in our case “. However, LockBit is a group very well rooted in the digital underground and most of its operations involve the exploitation of data and authentication credentials provided by “Iab operators” (Initial Access Brokers). Such operators usually acquire this information starting from botnet infections (Zloader, TrickBot, RedLine) and then forward them, against payment, to the affiliates of the various ransomware groups.
Indeed LockBit is a criminal organization that it thrives on the RaaS technique, Ransomware as a Service, that is, renting the ransomware, the malware that copies, exports the stolen data and then closes it behind a padlock making it impossible for the legitimate owner to use it until a ransom is paid. Affiliates of the shared malicious software management program pay a percentage to the software developers and maintainers and use it as their own. The ransom doesn’t always come, though. In the case of LockBit there are in fact many companies that they decide not to pay for various reasons, both of an ethical and practical nature, especially if they are in possession of a copy of the encrypted data that the affected entity can recover to continue its activities.
Cyber blackmail, 2021 is a year to forget
by Arturo Di Corinto
Luca Mella, expert ransomware analyst reminds us that in recent months, cyber attacks against companies in the Defense and Aerospace sector have been frequent, both in the US and in Brazil, Canada, Belgium, Israel and India and that behind these attacks “it is possible to hypothesize an underlying direction of Russian intelligence, even if the attribution remains, as always, very difficult – and he adds – but it is possible that the stolen data come from the compromise of a supplier in the supply chain of software with access to development projects “.
For De Lucia what happened is cause for concern: “The loss of intellectual property and project data relating to a company like Thales is certainly something to be taken very seriously. It operates in very critical sectors and counts national and international institutions among its clients. It is certainly to be considered a very sensitive reality for the countries in which it operates. ” Even Italy, therefore.