Thales Cyber Attack by LockBit : French electronics and defense giant Thales has revealed details of the cyber attack it suffered in October and November 2022. The crisis began on October 31, 2022, but Thales said that the start of the incident was a few weeks earlier. According to the company, the crisis was rooted in the theft of three user accounts in mid-August 2022. Login credentials of three user accounts for a portal used to communicate with a partner were stolen.

Thales Cyber Attack by LockBit

Thales is not certain how these three accounts were compromised, but it is leaning towards two possibilities: either access was obtained through reuse of a password used on a hacked third-party site, or a terminal with browser access was hacked to access password syncing. A few weeks later, access to these three accounts was sold on the dark web. Two of the three accounts belonged to insiders and access to these two compromised internal accounts was immediately blocked. But the purchase of the third user account, which belonged to its industrial partner, went unnoticed by Thales.

The hackers then spent five days exploring the portal and data they had access to, before downloading around 9 GB of data from a European hosting server, which was the volume of data accessible to Thales’ partner. The LockBit hacking group claimed responsibility for the attack on its website the day before a public holiday. Thales ruled out the possibility of intrusion into its information systems and the deployment of ransomware, in favor of the hypothesis of data theft. The stolen files, approximately 400 unique files, were mostly from the compromised portal. However, a small portion of the archive, less than 1 GB, was from another theft and was more than two years old.

Thales suspects that the stolen data came from an internal or external operator of the company at the beginning of the Covid-19 pandemic. According to Stéphane Lenco, Thales’ director of information systems security, this could correspond to data taken in an emergency by an employee who had to leave their office hastily. The stolen data is considered to be of little sensitivity, internally classified as level two data, which corresponds to non-public data, but shared with partners.

One point remains unclear for the company: what was the precise motive of the LockBit hackers? The hackers did not directly demand a ransom from the French company, and the usual links to buy extra time to avoid disclosure of stolen data were not present. Thales thinks that LockBit may have wanted to generate free publicity with this attack. Another hypothesis formulated is that this was an operation ultimately aimed at manipulating the company’s stock price, or was it a targeted attack on a European defense company, a sector under pressure since the beginning of the Russian military invasion in Ukraine? Whatever the motive of the hackers, Thales hopes that this transparency exercise will help restore its reputation. The company has presented an informative post-mortem to the press, which highlights the limitations of its surveillance, but also the speed of its response to the attack.