|Category: Adversary Intelligence||Industry: Defense / Government||Motivation: Unpatched Reported Vulnerability||Region: Italy||Source*: F6|
- CloudSEK’s contextual AI digital risk platform XVigil discovered a new threat actor group dubbed “Andrastea”, who announced an enormous breach from MBDA, a European multinational developer and manufacturer of missiles, having ties to NATO (North Atlantic Treaty Organization).
- A lapse in communication from the organization from a reported vulnerability disclosure prompted the group to post samples of the breached documents on multiple cybercrime forums, namely Breached and Exploit, to announce this cyberattack.
- Given that MBDA didn't have a Vulnerability Disclosure Program (VDP) mentioned on their website, it is assumed that the Andrastea Security Researchers attempted to report the issue ethically, via email.
- The following sensitive information was exposed:
- Confidential PII of MBDA’s employees
- Military sketches
- Documents underlying NATO’s requirements
- SOPs describing NATO’s Intelligence functions
- Employees who took part in the closed Military projects of MBDA (PLANCTON, CRONOS, CA SIRIUS, EMADS, MCDS, B1NT, etc.)
- Documentation of activities tying the MBDA to the Ministry of Defense of the European Union including:
- Drawings and presentations
- Video and 3D photo materials
- Design documentation of the air defense, missile systems of coastal protection
- Contract agreements and correspondence with the other players in the defense industry such as Rampini Carlo, Netcomgroup, Rafael, Thales, ST Electronics, etc.
- Access to MBDA’s network was compromised leading to exploitation of critical vulnerabilities.
- CloudSEK’s Researchers were able to obtain the password-protected ZIP file, hosted on MEGA, containing the samples for the data breach.
- The password to unlock the file was mentioned in the post shared by the actor.
- The ZIP file contained two folders named “NATO_Diefsa” and “MBDA”, as described below.
- It contained multiple SOPs (Standard Operating Procedures) underlying the requirements for NATO’s Counter Intelligence to avert threats related to Terrorism, Espionage, Sabotage, and Subversion (TESS).
- The documents obtained dated back to 2016 and were drafted on Microsoft WORD 97 files.
- The SOPs identify NATO collection and plan functions, responsibilities, as well as procedures used in support of NATO operations and exercises.
- The SOPs also include all activities of the Intelligence Requirement Management and Collection Management (IRM & CM) process that results in the effective and efficient execution of the intelligence cycle.
- It contained internal sketches for the following:
- Detailed sketches of cabling diagrams for missile systems.
- Electrical schema diagrams.
- It is deduced that these plans are relevant to MBDA’s internal electrical structure.
|Threat Actor Profiling|
|Active since||July, 2022|
|Reputation||Low (Multiple complaints and concerns on the forum)|
|History||Not known, this is the group’s first recorded activity|
|Points of Contact||XMPP, ProtonMail|
|Rating||F6 (F: Reliability Unknown; 6: Difficult to Say)|