LockBit claims a cyberattack against Boeing.

The Russian ransomware gang LockBit claims to have compromised Boeing systems and taken "a tremendous amount" of sensitive information from the aerospace firm.

Boeing is assessing the gang's claims.

Boeing said, according to Reuters, that it's evaluating the claims. LockBit says that if it's not paid by November 2nd, the gang will begin dumping the data publicly. "Sensitive data was exfiltrated and ready to be published if Boeing do not contact within the deadline!" LockBit said on its leak site, adding, "For now we will not send lists or samples to protect the company BUT we will not keep it like that until the deadline," the hacking group said. Citing security researcher Brett Callow, Security Affairs points out that LockBit has in the past not distinguished between a company and a company's vendors, and that from what's known so far, this could be a third-party incident, assuming that it turns out to be anything at all. LockBit claims to have gained access to Boeing data by exploiting a zero-day, but those claims remain uncorroborated. Should LockBit release proof-of-hack data, Boeing's response will be informed by what it sees, Infosecurity Magazine reported early Monday morning.

An escalation of cybercrime facilitated and enabled by the Russian government.

Ken Westin, Field CISO at Panther Labs, sees the incident as an instance of escalation of cybercrime enabled by the Russian government. "This is another example of a Russian based threat group gaining access to potentially sensitive data," he wrote in emailed comments. "Ransomware groups have been increasing their level of sophistication and capabilities, so no organization is safe from a potential ransomware incident. Even organizations with the best security posture and following best practices are still at risk. This compromise, along with the recent compromise of DC voter data via DataNet Systems by RansomVC, raises national security concerns as often times these groups not only encrypt the data, but also exfiltrate it. LockBit is a predominantly Russian speaking ransomware group believed to be operating out of Russia with ties to the Russian government. Data from Boeing can be very valuable to foreign governments, particularly their “Defense, Space & Security” division. The scope of the breach has not been announced so it’s not clear if data from this division was compromised, but it could be a threat."

Update: still waiting for proof-of-hack.

(Added, 1:30 PM ET, October 30th, 2023.) Black Kite’s head of research, Ferhat Dikbiyik, emailed an update on what they've observed so far this morning:

"Black Kite’s research team is currently monitoring the incident and have not yet seen any sample data published by Lockbit. This ransomware group is known for exploiting vulnerabilities, particularly zero-day, and their statement given to vx-underground, aligns with their typical attack approach. Lockbit has over 100 affiliates and it is possible that one of them discovered the vulnerability in Boeing's systems, which gave them initial access and ability to deploy the ransomware. Alternatively, it could have come from a third-party vendor associated with Boeing. Generally, the ransomware group does not target very large companies frequently and given Boeing's importance in critical infrastructure, Lockbit appears to be proceeding cautiously by not immediately publishing any sample data. 

"Lockbit has been the most active ransomware group over the past 12 months, in terms of the number of ransomware victims announced (stats on the groups can be seen in our August and September Monthly Ransomware Reports). While other groups such as AlphV/Black Cat (the group responsible for the MGM attack) are catching up, and new players like RansomedVC are trying to gain market share by exaggerating their attacks or publishing more victims, it seems unlikely that Lockbit will lose its number one position anytime soon."

(Added, 8:00 PM ET, October 30th, 2023.) Steve Stone, Head of Rubrik Zero Labs, Also commented on the importance of evidence that a claimed attack has actually occurred. “It's important to vet and verify any ransomware purported claims as well as if the actual activity occurred. Just this month in October there was significant discussion on Colonial Pipeline being victim to ransomware again, only to have those claims fall apart (it was a repackaging of previously leaked material) on further review," he wrote. "Alleged claims of Lockbit using an 0-day to compromise Boeing are interesting, but not assessment-changing details. Ransomware groups, in particular professional and well-resourced groups like Lockbit, have proven their ability and willingness to purchase and leverage 0-days against victims.”

LockBit is certainly active, and potential targets should be alert, Stone adds. “Lockbit is the most active ransomware group since the beginning of 2022 until current day and is widely viewed as one of the most professional Ransomware as a Service providers. They've been around for years and either rebranded or retooled multiple times in the past. Without further details, it is critical for any potential target to remember there may be several groups involved in a compromise. As an example, Lockbit is most-suited for ransomware deployment, data extortion, and follow-on activities. They've used other groups, most notably Initial Access Brokers (IABs) on multiple past occasions. “

“Lockbit's claim of stealing 'lots of sensitive data' is in-line with their past actions and claims. It also tracks with Rubrik observations on the ready prevalence of sensitive data. As an example, in the aerospace industry, Rubrik sees a typical organization containing more than 19.5 millions sensitive data records as of July 2023," he added. “Rubrik Zero Labs cannot confirm any details from the media and Lockbit statements, however we do routinely see organizations better prepared for the initial ransomware encryption event and less prepared for the data theft/leak extortion demands. We think it is imperative organizations plan for both situations in their resiliency efforts as we commonly see both leveraged against victims.”

Stolen data can be monetized in other ways that go beyond ransom payments.

(Added, 1:30 PM ET, October 30th, 2023.) James Dyer, Threat Intelligence Lead at Egress, commented on the implications of an attack whose outcome can be monetized in a variety of ways.

 “Attackers targeting large, global brands like Boeing, in this case through exploiting a zero-day vulnerability, are not only interested in money from ransoms but also the valuable data held in the compromised network.

“This incident is not only worrying because of its immediate threat but also in terms of the fallout. With Boeing, the attackers are using double extortion methods by threatening to expose or sell the data. Ultimately, the company and customers could now be at greater risk from increased phishing attacks using credentials compromised in the other initial attack – otherwise known as Business Email Compromise (BEC).

“For example, in a supply chain, a single compromised vendor can result in a high proportion of their customers also becoming compromised; the military clients in Boeing’s supply chain no doubt makes them an extremely enticing target. The attacker seizes this opportunity to leverage trusted relationships as an entry point and socially engineer their victims. The threat actor is likely to use highly pressurizing techniques on their victim such as insisting on urgency and confidentiality or leveraging the seniority of whom they are impersonating. Often ransomware attacks give 10 days for their victims to respond, but in this incident, only 6 days have been offered to increase the pressure. 

“When an attack is presented in the guise of a trusted colleague or business partner, it is suddenly much harder to differentiate between a genuine and a malicious email. Organizations are then exposed to account takeover, data exfiltration, and financial losses from fraudulent payments. 

“Employees must be aware of the risk and how to put an action plan in place to understand not only why an email has been flagged as dangerous but also identify compromise from a trusted source.”