The sinister countdown has ended and “all available data has been published” can be read since Monday evening on the site on TOR of the cybercriminals of Lockbit 2.0. The gang operating this ransomware had claimed responsibility on January 3 for a cyberattack once morest the French electronics group Thales. He had since been threatening to publish the data stolen in the operation in order to negotiate a large sum of cryptocurrencies in exchange for the return of the documents. A technique of double extortion already used last summer once morest the consulting giant Accenture.
“There has been an upsurge in their attacks since the beginning of the year with a new, more aggressive version of their malware and the exploitation of e-mail attachments with macro viruses”, analyzes Guillaume Maguet, technical director from Deep Instinct, a cybersecurity company specializing in the prevention of cyberattacks. “They don’t offer to decrypt the data, their software is a ‘wiper’ that deletes everything” continues the expert. But they then enter into a negotiation via their platform on the DarkNet with the victim to prevent the precious files from leaking on the Internet.
Ideal target for thugs, the French specialist in aerospace, defense and security had assured in a press release at the beginning of January that he had not received a ransom demand but “we take this allegation as still unfounded – and whatever its source – seriously. A dedicated team of security experts are currently investigating the situation.” Emphasizing in passing: “At this stage, there is no factual proof of this attack, nevertheless we continue to conduct investigations, the security of our data being a priority”.
Two weeks later, Thales apparently did not give in to the blackmail and several hundred Zip files, the most recent dated January 1, 2022, were exposed by the hackers. These are internal tools, including computer code, for developers of Space Ops solutions from Thales Alenia Space, the joint venture with Italian arms giant Leonardo dedicated to the space industry.
These 1,320 files were no longer available for download on Tuesday morning. Contacted by Le Parisien, the Thales group acknowledged the exfiltration of data and specified that “most of the stolen files which appear to have been copied from a code repository server, hosting low-level data sensitivity and which is external to the group’s main information systems”.
Cybercriminals would therefore have overvalued their loot in order to hang an important name on their villainous record. Not a first for this gang. “They are considered serious in the technique but not very credible in their information and with a big mouth”, supports Guillaume Maguet of Deep Instinct.
It is a poorly secured server which would therefore have been targeted by attackers. And Thales to specify: “the protection of the data of our customers being our absolute priority, we are contacting the parties concerned to discuss and inform each of them of potential corrective actions. »