LockBit Ransomware Operators Leak Gigabytes of Exfiltrated Boeing Data


November 13, 2023

World map

Boeing had announced in late October that it was investigating an attack by the LockBit ransomware gang that may have compromised "a tremendous amount" of sensitive data with the threat to expose it online if Boeing does not pay the ransom demand by Nov. 2.

LockBit operators appear to have published a large amount of exfiltrated Boeing data on October 27 and notified the company they have until November 2nd deadline to contact them and engage in negotiations.

Boeing had been listed then removed from the LockBit’s leaks site but appeared again on November 7 along with “around 4GB of sample data” with another threat to publish more “if we do not see a positive cooperation from Boeing.”

“On November 10, LockBit released on their site all the data they had from Boeing. Among the files are configuration backups for IT management software, and logs for monitoring and auditing tools,” Bleeping Computer reports.

“Backups from Citrix appliances are also listed, which sparked speculation about LockBit ransomware using the recently disclosed Citrix Bleed vulnerability (CVE-2023-4966), for which proof-of-concept exploit code was published on October 24.”

Takeaway: At some point, these ransomware attacks are going to cross the line from cybercriminal activity to a national security event, especially when we are talking about attacks on Defense Industrial Base targets.

We know Russia tacitly or directly supports and/or controls these ransomware operators to an extent, and these attacks are starting to look more and more like state-sponsored terrorism, and perhaps we should be addressing them as such.

Even if the ransomware attack itself is resolved, the fact remains that the attackers may have exposed incredibly valuable intelligence for foreign adversaries, and this can potentially mean that an entirely different set of rules kick into place.

Cybercriminal activity is the purview of law enforcement. They investigate, collect evidence of a crime, indict and prosecute when possible. But when an attack drifts into the national security space, there are different rules of engagement, and they can include offensive actions deemed appropriate and proportional.

In the 2004 National Military Strategy, the Joint Chiefs of Staff designated cyberspace as a “domain of conflict alongside the air, land, sea, and space domains,” noting that the US Department of Defense will “maintain its ability to defend against and to engage enemy actors in this new domain.”

While we have seen some scattered arrests of affiliates and other low-level threat actors in the ransomware space here and there, overall law enforcement has had basically zero impact on disrupting ransomware operations.

That’s because the one thing the most notorious ransomware gangs have in common is their ties to Russia and the Putin regime. We know that groups like Lockbit are closely aligned if not directly controlled to a degree by the Russian government and its intelligence apparatus.

This overlap of cybercriminal activity with nation-state-supported operations conveniently allows for some plausible deniability for Russia, but the Russians need to be very cautious about how they conduct such attacks so they don't trigger an international incident that would elicit a direct response from the US or their allies.

Using ransomware gangs like LockBit as a proxy to conduct the attacks with the intent to maintain plausible deniability and thwart attribution is the strategy here, but it could backfire on them.  

Cyber operations have become such an important aspect of larger geopolitical issues, but attribution is in many cases extremely difficult, so the US and allied governments are in a tough position regarding what actions to take to stem this wave of ransomware attacks, namely because there is so much ambiguity in determining attribution for the attacks.

Ultimately, it's the Russian government that is both providing safe harbor for criminal elements conducting ransomware attacks with impunity and is very likely even influencing some of their targeting.

Until the US government and our allies directly sanctions the Putin regime for their direct or tacit support, we will not see this spate of ransomware attacks abate any time soon.  

And it's only a matter of time before we see another massively disruptive attack against a critical infrastructure or other target that threatens our national security, and then we could see the whole conversation around ransomware attacks and our collective response change significantly.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.