Bolloré subsidiary attack exposes Thales, Alibaba data

Attackers have posted supposedly confidential data on several customers of Automatic Systems, a secure entrance control manufacturer. Those affected include NATO, Alibaba, Thales, and others.

The Russia-linked ALPHV/BlackCat ransomware gang has claimed the attack on Automatic Systems, a subsidiary of French conglomerate Bolloré. The gang’s post on its dark web leak site includes over a hundred samples of stolen data, ranging from non-disclosure agreements (NDAs) to copies of passports.

Automatic Systems acknowledged the attack with a message on the company’s website, claiming that the intrusion took place on June 3rd, with threat actors targeting “part of its servers.”

“Automatic Systems immediately took specific protection measures to halt the advance of the ransomware. The company called on external cybercrime experts, who are currently supporting the internal IT teams around the clock,” the company said.

ALPHV/BlackCat claimed responsibility for the attack on June 12th, saying that they stole “a lot of critical data.” The post suggests that attackers got their hands on the personal information of the company’s partners and clients, financial data, passport details, and other information.\

ALPHV automatic
Post on the gang's dark web blog. Image by Cybernews.

“[The stolen data includes] confidential documents on cooperation with NATO and procurement of equipment for military companies and detailed schemes of installation and use of such equipment,” the post on a dark web blog says.

Somewhat unusually, the attackers included a lot of data samples of the supposedly stolen data. Most notably, the post displays NDAs between victims and Chinese retailer Alibaba, documents that the company signed with French defense contractors Thales, and other data.

Automatic Systems claims the company is committed to full transparency during the ongoing investigation of the attack. The manufacturer said it has contacted law enforcement authorities in Belgium, where it’s based.

The victim company employs nearly 400 staff and mostly produces vehicle, pedestrian, and passenger access control systems. That includes everything from rising barriers to ePassport gates used in airports. Automatic Systems is a subsidiary of Bolloré, a French manufacturing behemoth with revenues exceeding $22 billion last year.

What is ALPHV/BlackCat ransomware?

ALPHV/BlackCat ransomware was first observed in 2021. Like many others in the criminal underworld, the group operates a ransomware-as-a-service (RaaS) business, selling malware subscriptions to criminals. The gang is noted for its use of the Rust programming language.

According to an analysis by Microsoft, threat actors that began to deploy the malware are known to work with other prominent ransomware families such as Conti, LockBit, and REvil.

The FBI believes that money launderers for the ALPHV/BlackCat cartel are linked to Darkside and Blackmatter ransomware cartels, indicating that the group has a well-established network of operatives in the RaaS business.

Lately, ALPHV/BlackCat has been among the most active ransomware gangs. According to cybersecurity analyst ANOZR WAY, the group was responsible for approximately 12% of all attacks in 2022.

The gang seems to be focused on professional service providers recently. In mid-May, the gang said it had breached Mazars Group, an international audit, accounting, and consulting firm.

Earlier this month, the crooks attacked Casepoint, a legal technology platform used by the United States Courts, the US Security Exchanges Commission (SEC), and the Department of Defense (DoD).