| Category:
Adversary Intelligence |
Industry:
Defense / Government |
Motivation:
Unpatched Reported Vulnerability |
Region:
Italy |
Source*:
F6 |
Executive Summary
| THREAT |
IMPACT |
MITIGATION |
- Andrastea threat actor group announced a data breach from MBDA, a European missile manufacturer having ties to NATO.
- Military sketches, documents underlying NATO’s requirements, and SOPs exposed.
|
- Exploitation of critical vulnerabilities to gain initial access.
- Leaked documents provide an overview of the working of intelligence groups and national defense systems, which can be misused for various nefarious activities.
|
- Patch vulnerable and exploitable endpoints.
- Monitor for anomalies in user accounts.
- Monitor cybercrime forums for the latest tactics employed by threat actors.
|
Analysis and Attribution
Information from the Post
- CloudSEK’s contextual AI digital risk platform XVigil discovered a new threat actor group dubbed “Andrastea”, who announced an enormous breach from MBDA, a European multinational developer and manufacturer of missiles, having ties to NATO (North Atlantic Treaty Organization).
- A lapse in communication from the organization from a reported vulnerability disclosure prompted the group to post samples of the breached documents on multiple cybercrime forums, namely Breached and Exploit, to announce this cyberattack.
- Given that MBDA didn't have a Vulnerability Disclosure Program (VDP) mentioned on their website, it is assumed that the Andrastea Security Researchers attempted to report the issue ethically, via email.
[caption id="attachment_21464" align="alignnone" width="1431"]
The group’s post on a cybercrime forum[/caption]
- The following sensitive information was exposed:
- Confidential PII of MBDA’s employees
- Military sketches
- Documents underlying NATO’s requirements
- SOPs describing NATO’s Intelligence functions
- Employees who took part in the closed Military projects of MBDA (PLANCTON, CRONOS, CA SIRIUS, EMADS, MCDS, B1NT, etc.)
- Documentation of activities tying the MBDA to the Ministry of Defense of the European Union including:
- Drawings and presentations
- Video and 3D photo materials
- Design documentation of the air defense, missile systems of coastal protection
- Contract agreements and correspondence with the other players in the defense industry such as Rampini Carlo, Netcomgroup, Rafael, Thales, ST Electronics, etc.
- Access to MBDA’s network was compromised leading to exploitation of critical vulnerabilities.
Also read 40,000+ Indian online marketplace suppliers’ data leaked
Information from the Samples
- CloudSEK’s Researchers were able to obtain the password-protected ZIP file, hosted on MEGA, containing the samples for the data breach.
- The password to unlock the file was mentioned in the post shared by the actor.
- The ZIP file contained two folders named “NATO_Diefsa” and “MBDA”, as described below.
NATO_Diefsa
- It contained multiple SOPs (Standard Operating Procedures) underlying the requirements for NATO’s Counter Intelligence to avert threats related to Terrorism, Espionage, Sabotage, and Subversion (TESS).
- The documents obtained dated back to 2016 and were drafted on Microsoft WORD 97 files.
- The SOPs identify NATO collection and plan functions, responsibilities, as well as procedures used in support of NATO operations and exercises.
- The SOPs also include all activities of the Intelligence Requirement Management and Collection Management (IRM & CM) process that results in the effective and efficient execution of the intelligence cycle.
MBDA
- It contained internal sketches for the following:
- Detailed sketches of cabling diagrams for missile systems.
- Electrical schema diagrams.
- It is deduced that these plans are relevant to MBDA’s internal electrical structure.
Threat Actor Activity and Rating
| Threat Actor Profiling |
| Active since |
July, 2022 |
| Reputation |
Low (Multiple complaints and concerns on the forum) |
| Current Status |
Active |
| History |
Not known, this is the group’s first recorded activity |
| Points of Contact |
XMPP, ProtonMail |
| Rating |
F6 (F: Reliability Unknown; 6: Difficult to Say) |
Impact & Mitigation
| Impact |
Mitigation |
- Critical vulnerabilities can be exploited and used to gain initial access to the company’s infrastructure.
- Leaked documents provide an overview of the working of such intelligence groups and national defense systems, which can be misused for various nefarious activities.
- It would equip malicious actors with details required to launch sophisticated ransomware attacks, exfiltrate data, and maintain persistence.
- Sensitive documents can be breached and be made public, leading to reputational damages.
|
- Patch vulnerable and exploitable endpoints.
- Monitor for anomalies in user accounts, which could indicate possible account takeovers.
- Monitor cybercrime forums for the latest tactics employed by threat actors.
- No security measures should be left unturned, while aiming to protect a network hosting or transmitting sensitive documents and/or intelligence secrets.
|
Also read Techniques, Tactics & Procedures (TTPs) Employed by Hacktivist Group DragonForce Malaysia
References
Appendix
[caption id="attachment_21465" align="alignnone" width="1230"]
Military projects of MBDA[/caption]
[caption id="attachment_21466" align="alignnone" width="783"]
Samples from “NATO_Diefsa” folder showing the Counter Intelligence Document[/caption]
[caption id="attachment_21467" align="alignnone" width="794"]
Samples from “NATO_Diefsa” folder showing the document outlining the reporting and intelligence cycle followed internally by NATO/KFOR[/caption]
[caption id="attachment_21468" align="alignnone" width="910"]
Samples from “MBDA” folder showing cabling diagrams for missile systems[/caption]
[caption id="attachment_21469" align="alignnone" width="450"]
Internal Memo[/caption]
[caption id="attachment_21470" align="alignnone" width="1431"]
Threat actor group’s post on the Exploit forum[/caption]
