After hack, Thales defense and security project data yet to appear on dark web

BEIRUT — French defense and aerospace firm Thales was attacked by hackers last week, with company data having been published on the dark net. However, sources close to the matter tell Breaking Defense that the published data is not linked to any of the company’s major defense or national security programs.

The sources, speaking under condition of anonymity, expressed confidence that military and security projects were not affected by the breach, but admitted that it’s possible information was stolen that has yet to be discovered or made public. Even with that caveat, that sensitive defense information has yet to become public is a good sign for the firm.

Among the key projects that appear to have been protected from the intrusion are the Rafale and Eurofighter Typhoon subsystems, radars, military satellites, counter drones and counter-mine systems, airport security and cybersecurity systems.

On Nov. 11, Thales revealed that an extortion and ransomware group known as LockBit 3.0 had released on its publication platform data stolen from the company. In its statement, Thales said that there has been no intrusion of its IT systems, that it had opened an internal investigation and that it has informed France’s ANSSI national cyber security agency.

“Thales security experts have identified one of the two likely sources of the theft, which has been confirmed through the user account of a partner on a dedicated collaboration portal. This has led to the disclosure of a limited amount of information, and Thales continues to investigate the other source of theft,” the firm said in its statement.

Thales is a provider of defense, aeronautics, space, transport and digital security technologies for different countries around the world.

According to Reuters, the firm’s shares dropped as much as 8.5% on the news. But in its statement, Thales insisted that the drop in its share price is not linked to Lockbit.

“Thales reiterates that, as of now, there is no impact on the Group’s operations. The firm is working closely with its partner and is providing all of the necessary technical support and resources to minimize any potential impact to concerned customers and stakeholders,” the statement said. The company remains vigilant towards any data theft, systematically mobilizing its teams of security experts, “as data security of any of our stakeholders is our utmost priority.”

LockBit 3.0, also known as LockBit Black, is a ransomware family that was announced in July 2022. The capabilities can encrypt and exfiltrate all the files on an infected device, apparently allowing the attacker to hold the victim’s data hostage until the requested ransom is paid. This ransomware is now active in the wild, and is causing a lot of concern.

“Lockbit is a hacking group and has arguably become the dominant and most prevalent RaaS (Ransom as a service) provider,” cyber security expert and CEO of Dreamlab cybersecurity firm, Nicholas Mayencourt told Breaking Defense.

He added that this new generation of the system has improved its evasion of analysis and tracking techniques. The group even went so far to go through a paid for public bug bounty program to eliminate any vulnerabilities in their crimeware.

Mayencourt also sees a silver lining to this attack, noting that “Thales as a company offers cyber security services and products as well. After an initial compromise and frustration, this case could be a good case for Thales to demonstrate its capabilities. It is already not a good sign that this [hack occured], yet Thales has now all the possibilities to show and make the difference and re-establish trust.”

Anytime a Western defense company is hacked, questions quickly arise as to whether Russia or China are behind it, as opposed to just normal criminals looking to score some money via ransomware. Mayencourt couldn’t say what the reason for this particular attack is, but did note that there is a history between Lockbit and an older group, known as Conti, which has been tied to Russia in the past.

“As Conti has been a Ukrainian and Russian “joint venture” the group quickly imploded after the war started,” he noted, with Lockbit taking up a lot of the room that Conti had been acting in.