Fraud Management & Cybercrime , Ransomware

Boeing Reports 'Cyber Incident'; Ransomware Group Claims Hit

Aerospace Giant Says Elements of Parts and Distribution Business Are Affected
Boeing Reports 'Cyber Incident'; Ransomware Group Claims Hit
A Boeing manufacturing facility in El Segundo, California. (Image: Shutterstock)

Boeing has confirmed a "cyber incident" just days after a notorious ransomware group claimed to have breached systems at the world's largest aerospace company.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

"We are aware of a cyber incident impacting elements of our parts and distribution business. This issue does not affect flight safety," a Boeing spokesperson told Information Security Media Group.

"We are actively investigating the incident and coordinating with law enforcement and regulatory authorities," the spokesperson said. "We are notifying our customers and suppliers."

Boeing's confirmation of its probe follows the LockBit ransomware group on Saturday claiming to have stolen "a tremendous amount of sensitive data," via a post to its leak site published by malware research group vx-underground. The extortionists threatened to dump the stolen data by Thursday if the victim had not yet begun negotiations.

Based in Arlington, Virginia, Boeing boasts $75.8 billion in revenue for the 12 months ending in September and 150,000 employees globally. Whether or not any Boeing systems were forcibly encrypted by attackers remains unclear.

Ransomware groups regularly lie or stretch the truth in their quest for profits at any cost. Still, if LockBit's claims are true, that is concerning, given that Boeing is a major manufacturer of airplanes, helicopters, satellites, rockets, missiles and telecommunications equipment and is a key U.S. Department of Defense contractor.

Image: vx-underground

Double-Extortion Aficionados

LockBit is one of a number of ransomware groups that practice double extortion. This refers to their claiming to steal data as well as to crypto-lock systems, after which they demand separate ransom payments for a decryptor as well as a promise to delete stolen data. Many groups, including LockBit, run data leak blogs, where they attempt to name and shame victims into paying. Such victims typically only get listed after they ignore or reject a group's initial ransom demand.

As of Thursday, Boeing no longer appeared to be listed on LockBit's website. Why that might be so isn't clear.

LockBit is a ransomware-as-a-service operation, meaning business partners - affiliates, in cybercrime-speak - access LockBit's portal to download regularly updated versions of the group's crypto-locking malware. Every time the affiliate infects a victim who pays a ransom, LockBit gets a cut - which it tells prospective affiliates that it keeps - while the rest goes to the affiliate. Operators of the RaaS service typically also handle negotiations with victims and administer the data leak site, including posting data for nonpaying victims.

Malware research group vx-underground said that after LockBit listed Boeing on its data leak site Saturday, it was able to speak directly with members of the ransomware group's leadership team.

"LockBit stated their ransomware affiliate got access using a 0day exploit," vx-underground said in a post to X, formerly Twitter. "LockBit would not elaborate further on this exploit hence we cannot verify the legitimacy of these claims. It is also probably worth noting that most victims listed by Lockbit are given 10 days - or more - to begin negotiations. Lockbit gave Boeing less than 6 days."

As of Saturday, LockBit claimed to have not heard from Boeing. "They informed us that they have not yet spoke with a representative from Boeing and they will not disclose any information to us about Boeing - more specifically they would not give us insights into how long they had access to Boeing, how much data was exfiltrated, what kind of data was stolen, etc.," vx-underground said.

LockBit remains one of the most damaging ransomware groups in operation. In September, the group listed 72 nonpaying victims on its data leak site, which was more than any other group, reported cybersecurity firm Malwarebytes (see: Known Ransomware Attack Volume Breaks Monthly Record, Again).

While that count doesn't take into consideration any victims that might have already paid a ransom - some experts say about one-third of victims on average appear to pay - and with the caveat that not all ransomware groups run leak sites, it highlights just how many attacks trace to LockBit.

LockBit Wobbles

Fueling these attacks has been a rise in affiliates, which ransomware tracker Jon DiMaggio reported in August had doubled from 50 to 100 over the past year. Different affiliates have different skill sets, and it's very possible that one of them came to possess a zero-day vulnerability that they were able to use against a big target such as Boeing.

The LockBit group's continuing success has come at a price, highlighted by its inability to issue a major new version of its ransomware on schedule or to automatically dump data for many nonpaying victims, said DiMaggio, chief security strategist at Analyst1 and author of a report detailing LockBit's woes based on extensive interviews with the group's affiliates (see: Victim of Its Own Ransomware Success: LockBit Has Problems).

"Just like a legitimate company, if you grow too fast and too quick and you don't have the infrastructure to support it, you have problems," DiMaggio told ISMG.

Whether such problems might work in Boeing's favor remains unclear.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.