Airplane maker Bombardier data posted on ransomware leak site following FTA hack
Canadian airplane manufacturer Bombardier has disclosed today a security breach after some of its data was published on a dark web portal operated by the Clop ransomware gang.
“An initial investigation revealed that an unauthorized party accessed and extracted data by exploiting a vulnerability affecting a third-party file-transfer application, which was running on purpose-built servers isolated from the main Bombardier IT network,” the company said in a press release today.
While the company did not specifically name the appliance, they are most likely referring to Accellion FTA, a web server that can be used by companies to host and share large files that can’t be sent via email to customers and employees.
In December 2020, a hacking group discovered a zero-day in the FTA software and began attacking companies worldwide. Attackers took over systems, installed a web shell, and then stole sensitive data.
In a press release yesterday, Accellion said that 300 of its customers were running FTA servers, 100 got attacked, and that data was stolen from around 25.
The attackers then attempted to extort the hacked companies, asking for ransom payments, or they’d make the stolen data public, according to security firm FireEye.
Starting earlier this month, data from some old FTA customers began appearing on a “leak site” hosted on the dark web, where the Clop ransomware gang would usually shame the companies who refused to pay its decryption fees.
Today, Bombardier’s name was added to the list, which prompted the airplane maker to go public with its security breach.
Data shared on the site included design documents for various Bombardier airplanes and plane parts. No personal data was shared, but the airplane maker is most likely livid that some of its private intellectual property is now being offered as a free download on the dark web.
FireEye said in a report today that the FTA hacking campaign and the subsequent extortion efforts are carried out by a major cybercrime group which the company is tracking as FIN11, a group that has had its fingers in various forms of cybercrime operations for the past years.