Exposure of Classified Documents from the Missile Manufacturer Associated with NATO, MBDA

Summary

Andrastea threat actor group announced a data breach from MBDA, a European missile manufacturer having ties to NATO. Military sketches, documents underlying NATO’s requirements, and SOPs were exposed.
Category: Adversary Intelligence Industry: Defense / Government Motivation: Unpatched Reported Vulnerability Region: Italy Source*: F6

Executive Summary

THREAT IMPACT MITIGATION
  • Andrastea threat actor group announced a data breach from MBDA, a European missile manufacturer having ties to NATO.
  • Military sketches, documents underlying NATO’s requirements, and SOPs exposed.
  • Exploitation of critical vulnerabilities to gain initial access.
  • Leaked documents provide an overview of the working of intelligence groups and national defense systems, which can be misused for various nefarious activities.
  • Patch vulnerable and exploitable endpoints.
  • Monitor for anomalies in user accounts.
  • Monitor cybercrime forums for the latest tactics employed by threat actors.

Analysis and Attribution

Information from the Post

  • CloudSEK’s contextual AI digital risk platform XVigil discovered a new threat actor group dubbed “Andrastea”, who announced an enormous breach from MBDA, a European multinational developer and manufacturer of missiles, having ties to NATO (North Atlantic Treaty Organization).
  • A lapse in communication from the organization from a reported vulnerability disclosure prompted the group to post samples of the breached documents on multiple cybercrime forums, namely Breached and Exploit, to announce this cyberattack.
  • Given that MBDA didn't have a Vulnerability Disclosure Program (VDP) mentioned on their website, it is assumed that the Andrastea Security Researchers attempted to report the issue ethically, via email.
The group’s post on a cybercrime forum
The group’s post on a cybercrime forum
 
  • The following sensitive information was exposed:
    • Confidential PII of MBDA’s employees
    • Military sketches
    • Documents underlying NATO’s requirements
    • SOPs describing NATO’s Intelligence functions
    • Employees who took part in the closed Military projects of MBDA (PLANCTON, CRONOS, CA SIRIUS, EMADS, MCDS, B1NT, etc.)
    • Documentation of activities tying the MBDA to the Ministry of Defense of the European Union including:
      • Drawings and presentations
      • Video and 3D photo materials
      • Design documentation of the air defense, missile systems of coastal protection
      • Contract agreements and correspondence with the other players in the defense industry such as Rampini Carlo, Netcomgroup, Rafael, Thales, ST Electronics, etc.
  • Access to MBDA’s network was compromised leading to exploitation of critical vulnerabilities.
Also read 40,000+ Indian online marketplace suppliers’ data leaked

Information from the Samples

  • CloudSEK’s Researchers were able to obtain the password-protected ZIP file, hosted on MEGA, containing the samples for the data breach.
  • The password to unlock the file was mentioned in the post shared by the actor.
  • The ZIP file contained two folders named “NATO_Diefsa” and “MBDA”, as described below.

NATO_Diefsa

  • It contained multiple SOPs (Standard Operating Procedures) underlying the requirements for NATO’s Counter Intelligence to avert threats related to Terrorism, Espionage, Sabotage, and Subversion (TESS).
  • The documents obtained dated back to 2016 and were drafted on Microsoft WORD 97 files.
  • The SOPs identify NATO collection and plan functions, responsibilities, as well as procedures used in support of NATO operations and exercises.
  • The SOPs also include all activities of the Intelligence Requirement Management and Collection Management (IRM & CM) process that results in the effective and efficient execution of the intelligence cycle.

MBDA

  • It contained internal sketches for the following:
    • Detailed sketches of cabling diagrams for missile systems.
    • Electrical schema diagrams.
  • It is deduced that these plans are relevant to MBDA’s internal electrical structure.
 

Threat Actor Activity and Rating

Threat Actor Profiling
Active since July, 2022
Reputation Low (Multiple complaints and concerns on the forum)
Current Status Active
History Not known, this is the group’s first recorded activity
Points of Contact XMPP, ProtonMail
Rating F6 (F: Reliability Unknown; 6: Difficult to Say)

Impact & Mitigation

Impact Mitigation
  • Critical vulnerabilities can be exploited and used to gain initial access to the company’s infrastructure.
  • Leaked documents provide an overview of the working of such intelligence groups and national defense systems, which can be misused for various nefarious activities.
  • It would equip malicious actors with details required to launch sophisticated ransomware attacks, exfiltrate data, and maintain persistence.
  • Sensitive documents can be breached and be made public, leading to reputational damages.
  • Patch vulnerable and exploitable endpoints.
  • Monitor for anomalies in user accounts, which could indicate possible account takeovers.
  • Monitor cybercrime forums for the latest tactics employed by threat actors.
  • No security measures should be left unturned, while aiming to protect a network hosting or transmitting sensitive documents and/or intelligence secrets.
Also read Techniques, Tactics & Procedures (TTPs) Employed by Hacktivist Group DragonForce Malaysia

References

Appendix

Military projects of MBDA
Military projects of MBDA
 
Samples from “NATO_Diefsa” folder showing the Counter Intelligence Document
Samples from “NATO_Diefsa” folder showing the Counter Intelligence Document
 
Samples from “NATO_Diefsa” folder showing the document outlining the reporting and intelligence cycle followed internally by NATO/KFOR
Samples from “NATO_Diefsa” folder showing the document outlining the reporting and intelligence cycle followed internally by NATO/KFOR
 
Samples from “MBDA” folder showing cabling diagrams for missile systems
Samples from “MBDA” folder showing cabling diagrams for missile systems
Internal Memo
Internal Memo
 
Threat actor group’s post on the Exploit forum
Threat actor group’s post on the Exploit forum
   

Table of Contents

Request an easy and customized demo for free