2022 began as 2021 had ended, that is, under the banner of hacker offensives.
The action at the beginning of January, or the hacker attack on Thales Group, was also similar in dynamics to the many that have studded last year. Especially in our country, starting with the striking offensive against the Lazio Region. That is, a ransomware was used, which as Kaspersky reported last December is an increasingly widespread criminal methodology.
This time, however, something more was done. Cybercriminals immediately set a precise date by which, if a ransom had not been paid, the stolen data would have been published on the Dark Web. That date, corresponding to Monday, January 17, has now expired. And in the early afternoon of January 17 there was the announcement of the publication of the stolen data.
What happened? Let’s try to chronologically recap the story of the hacker attack on Thales Group.
The hacker attack at Thales Group
The hacker attack against Thales Group was launched on the evening of Monday 3 January. And it was claimed by the LockBit 2.0 group.
The offensive would have compromised 1,320 files exfiltrated, and therefore ended up in the possession of computer pirates.
The double extortion technique
How did the hackers act against Thales Group?
With what is called the double extortion technique. Which is typical of targeted attacks, organized by groups of expert cybercriminals, which ask for money not only not to destroy the stolen files, but also not to publish them.
In this case, the LockBit 2.0 group set the countdown on Monday, January 17th. Two weeks, after which the exfiltrated files would be posted on the dark web.
The technique is precisely that ofusing a ransomware. That is, malicious software (malware) which, when introduced into a system, blocks its operation by encrypting its data. Whoever inserted the software can then ask for a ransom to return control of the system to its rightful owners.
Thales’ reaction
Thales immediately stated that he was aware of having suffered a hacker attack. The company hired a team of cybersecurity experts to investigate what happened and ensure data security.
Who is Thales Group
Thales Group is a French electronics company, world leader, specializing in aerospace, defense, security and land transport.
Thales Group is a strategic company for France but not only. The company, for example, has been operating in our country since 1988. On the Italian territory there are 7 active factories and 2,800 employees.
Since 2007, the company Thales Alenia Space is a holding company of the Thales group for 67%, and for the remaining 33% of the Italian group Leonardo.
Thales Alenia Space recently received a commission to build two new satellites, Intelsat 41 and Intelsat 44, worth between 200 and 300 million euros.
Who is the LockBit 2.0 group
The LockBit 2.0 cybercriminal group hails from Eastern Europe. It began to make itself known in February 2020, and gained notoriety in the environment after unveiling a ransomware that got its name from the group.
LockBit 2.0 is responsible for several hacker attacks in the summer of 2021, such as those – in our country – against Erg and Engineering.
The group, made up of around 25-30 IT experts, has so far over 2,200 successful criminal acts.
The declaration of January 17
So let’s go back to where we started, that is to the (for now) final act of the hacker attack against Thales Group.
In the early afternoon of Monday 17 January, at the expiry of the ultimatum, the LockBit 2.0 group declared that it had published the 1,320 files stolen from the French company on the dark web. Which would contain data from various space projects.
Thales has not made any statements to the Italian press, except specifying that Thales Alenia Space is unrelated to the facts, and therefore has not suffered any damage.
The expert’s opinion
The engineer Emanuele De Lucia, interviewed by his colleagues from Repubblica, said: “From preliminary analyzes it seems that the data released by the LockBit group refer to projects on GitHub. Among these is present at least a project related to a platform used for the management of space operations, developed and implemented to represent the information obtained from orbital propagation transmitted by satellites in space. The repositories (ie the data archives, Ed) seem to belong to completed projects and already fully in operation. The projects appear to clearly exhibit intellectual property regarding the stack of technologies used for the application and management of satellite communications ”.