Exposure of Classified Documents from the Missile Manufacturer Associated with NATO, MBDA

Andrastea threat actor group announced a data breach from MBDA, a European missile manufacturer having ties to NATO. Military sketches, documents underlying NATO’s requirements, and SOPs were exposed.
Updated on
April 19, 2023
Published on
October 30, 2022
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
Category: Adversary Intelligence Industry: Defense / Government Motivation: Unpatched Reported Vulnerability Region: Italy Source*: F6

Executive Summary

THREAT IMPACT MITIGATION
  • Andrastea threat actor group announced a data breach from MBDA, a European missile manufacturer having ties to NATO.
  • Military sketches, documents underlying NATO’s requirements, and SOPs exposed.
  • Exploitation of critical vulnerabilities to gain initial access.
  • Leaked documents provide an overview of the working of intelligence groups and national defense systems, which can be misused for various nefarious activities.
  • Patch vulnerable and exploitable endpoints.
  • Monitor for anomalies in user accounts.
  • Monitor cybercrime forums for the latest tactics employed by threat actors.

Analysis and Attribution

Information from the Post

  • CloudSEK’s contextual AI digital risk platform XVigil discovered a new threat actor group dubbed “Andrastea”, who announced an enormous breach from MBDA, a European multinational developer and manufacturer of missiles, having ties to NATO (North Atlantic Treaty Organization).
  • A lapse in communication from the organization from a reported vulnerability disclosure prompted the group to post samples of the breached documents on multiple cybercrime forums, namely Breached and Exploit, to announce this cyberattack.
  • Given that MBDA didn't have a Vulnerability Disclosure Program (VDP) mentioned on their website, it is assumed that the Andrastea Security Researchers attempted to report the issue ethically, via email.
[caption id="attachment_21464" align="alignnone" width="1431"]The group’s post on a cybercrime forum The group’s post on a cybercrime forum[/caption]  
  • The following sensitive information was exposed:
    • Confidential PII of MBDA’s employees
    • Military sketches
    • Documents underlying NATO’s requirements
    • SOPs describing NATO’s Intelligence functions
    • Employees who took part in the closed Military projects of MBDA (PLANCTON, CRONOS, CA SIRIUS, EMADS, MCDS, B1NT, etc.)
    • Documentation of activities tying the MBDA to the Ministry of Defense of the European Union including:
      • Drawings and presentations
      • Video and 3D photo materials
      • Design documentation of the air defense, missile systems of coastal protection
      • Contract agreements and correspondence with the other players in the defense industry such as Rampini Carlo, Netcomgroup, Rafael, Thales, ST Electronics, etc.
  • Access to MBDA’s network was compromised leading to exploitation of critical vulnerabilities.
Also read 40,000+ Indian online marketplace suppliers’ data leaked

Information from the Samples

  • CloudSEK’s Researchers were able to obtain the password-protected ZIP file, hosted on MEGA, containing the samples for the data breach.
  • The password to unlock the file was mentioned in the post shared by the actor.
  • The ZIP file contained two folders named “NATO_Diefsa” and “MBDA”, as described below.

NATO_Diefsa

  • It contained multiple SOPs (Standard Operating Procedures) underlying the requirements for NATO’s Counter Intelligence to avert threats related to Terrorism, Espionage, Sabotage, and Subversion (TESS).
  • The documents obtained dated back to 2016 and were drafted on Microsoft WORD 97 files.
  • The SOPs identify NATO collection and plan functions, responsibilities, as well as procedures used in support of NATO operations and exercises.
  • The SOPs also include all activities of the Intelligence Requirement Management and Collection Management (IRM & CM) process that results in the effective and efficient execution of the intelligence cycle.

MBDA

  • It contained internal sketches for the following:
    • Detailed sketches of cabling diagrams for missile systems.
    • Electrical schema diagrams.
  • It is deduced that these plans are relevant to MBDA’s internal electrical structure.
 

Threat Actor Activity and Rating

Threat Actor Profiling
Active since July, 2022
Reputation Low (Multiple complaints and concerns on the forum)
Current Status Active
History Not known, this is the group’s first recorded activity
Points of Contact XMPP, ProtonMail
Rating F6 (F: Reliability Unknown; 6: Difficult to Say)

Impact & Mitigation

Impact Mitigation
  • Critical vulnerabilities can be exploited and used to gain initial access to the company’s infrastructure.
  • Leaked documents provide an overview of the working of such intelligence groups and national defense systems, which can be misused for various nefarious activities.
  • It would equip malicious actors with details required to launch sophisticated ransomware attacks, exfiltrate data, and maintain persistence.
  • Sensitive documents can be breached and be made public, leading to reputational damages.
  • Patch vulnerable and exploitable endpoints.
  • Monitor for anomalies in user accounts, which could indicate possible account takeovers.
  • Monitor cybercrime forums for the latest tactics employed by threat actors.
  • No security measures should be left unturned, while aiming to protect a network hosting or transmitting sensitive documents and/or intelligence secrets.
Also read Techniques, Tactics & Procedures (TTPs) Employed by Hacktivist Group DragonForce Malaysia

References

Appendix

[caption id="attachment_21465" align="alignnone" width="1230"]Military projects of MBDA Military projects of MBDA[/caption]   [caption id="attachment_21466" align="alignnone" width="783"]Samples from “NATO_Diefsa” folder showing the Counter Intelligence Document Samples from “NATO_Diefsa” folder showing the Counter Intelligence Document[/caption]   [caption id="attachment_21467" align="alignnone" width="794"]Samples from “NATO_Diefsa” folder showing the document outlining the reporting and intelligence cycle followed internally by NATO/KFOR Samples from “NATO_Diefsa” folder showing the document outlining the reporting and intelligence cycle followed internally by NATO/KFOR[/caption]   [caption id="attachment_21468" align="alignnone" width="910"]Samples from “MBDA” folder showing cabling diagrams for missile systems Samples from “MBDA” folder showing cabling diagrams for missile systems[/caption] [caption id="attachment_21469" align="alignnone" width="450"]Internal Memo Internal Memo[/caption]   [caption id="attachment_21470" align="alignnone" width="1431"]Threat actor group’s post on the Exploit forum Threat actor group’s post on the Exploit forum[/caption]    

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations