Hackers threaten to leak data from NATO contractor Indra, as company investigates
One of Europe's biggest defense contractors is racing against a ransomware countdown after hackers threatened to publish allegedly stolen data.

One of Europe's biggest defense contractors is racing against a ransomware countdown after hackers threatened to publish allegedly stolen data.
The Gentlemen ransomware gang has listed one of Europe’s defense powerhouses – the Spanish multinational company and NATO contractor, the Indra Group.
So far, it is unknown what kind of data is involved in the alleged data breach. The gang released a post on June 30th on its leak site on the dark web, setting the deadline for the company to start communication.
According to the post, Indra Group has 9 days before the data is publicly released. This is a common tactic ransomware gangs use to threaten victims and pressure them into paying the ransom.
As reported in local media, Indra has confirmed a ransomware attack that affected one of its subsidiaries but has "guaranteed the security and continuity of its services."
As the company explained, at the moment the ransomware was detected, its Computer Security Incident Response Team activated the internal protocols provided for analysis, verification, and security review in the environments that could have been compromised "immediately."
The company has assessed that the attack was localized and the risk of spread across the group’s subsidiaries has been “ruled out.” According to the company, the investigation is still ongoing, as well as an audit of security procedures and controls.
Cybernews reached out to Indra Group for a comment on the countdown and the affected data. We will update this article once we receive a response.
European defense powerhouse
Headquartered in Spain, Indra Group is one of Europe's largest defense, aerospace, and technology companies, providing critical systems to governments, militaries, and operators of essential infrastructure worldwide. It is the first Spanish company to join NATO's cyberdefence coalition.
Indra also supplies identity management and cybersecurity solutions protecting sectors such as energy, finance, telecommunications, and public administration.
Indra is a global supplier of air traffic management technology, developing civil and military systems, including surveillance radars, flight data processing platforms, and military simulation systems.
The company's space business expanded significantly in 2025 after acquiring approximately 90% of Spanish satellite operator Hispasat, strengthening its presence in satellite communications and space technologies.
Indra also develops intelligent transportation systems used to manage roads, railways, and other critical mobility infrastructure.
The company has over 62,000 employees worldwide. With the annual revenues reaching €5 billion, the company operates in over 140 countries.
What do we know about Gentlemen?
Gentlemen’s business model is straightforward – the gang relies on ransomware-as-a-service (RaaS) to profit. They split revenue with affiliates who their illicit infrastructure.
Gentlemen originated as ArmCorp, a prolific affiliate cluster of the Qilin ransomware program, comprising approximately 20 members.
According to Halcyon security firm, the split between the gangs was triggered by a payment dispute on July 2nd 2025, when the threat actor known as "hastalamuerte" filed a public arbitration complaint on the RAMP underground forum, alleging Qilin owed roughly $48,000 in unpaid commission.
The first Gentlemen ransomware sample appeared on VirusTotal on July 17th 2025. It is five days before the public dispute, with the leak site URL already hardcoded into the binary, indicating the separation was premeditated and already underway.
Thailand is the gang’s most targeted country with 27 victims, followed by the United States, France, and Brazil.
Unlock more exclusive Cybernews content on YouTube.