Italian gas giant confirms breach, hackers threaten to leak data

Published: 11 November 2025
Last updated: 12 November 2025
SIAD Group data breach

A notorious Russia-linked ransomware gang has claimed to have stolen 159GB of data from one of Italy’s largest industrial gas producers and has begun the countdown to release it publicly. The company has confirmed the security breach.

Key takeaways:
  • Russia-linked Everest ransomware gang claims to have stolen 159GB from Italy’s SIAD Group, listing the firm on its dark-web leak site with an eight-day countdown.
  • The gang releases data samples, including internal project files.
  • SIAD confirms an intrusion on a perimeter IT component, says it’s confined to SIAD Macchine Impianti, operations remain uninterrupted, and there’s currently no evidence of personal data compromise.
  • Everest’s track record includes a hit on Collins Aerospace’s MUSE check-in software that snarled European airports. Other claimed targets include BMW, Coca-Cola, AT&T and Mailchimp.

The Everest Group, the Russia-linked cybercriminal gang behind the alleged ransomware attack, has listed the SIAD Group as a victim on its leak site on the dark web.

ADVERTISEMENT

The SIAD Group is one of Italy’s leading chemical and industrial gas companies, producing and distributing gases used across sectors such as food, healthcare, automotive, metallurgy, and chemical manufacturing. Its operations also include the supply of liquefied petroleum gas (LPG) and natural gas.

Beyond gas production, the company develops gas plants, compressors, and automation systems, and provides home and hospital healthcare services. Founded in Bergamo in 1927, SIAD has reported a turnover exceeding €1.1 billion in 2024.

The post on its victim site includes a timer, showing that the company has eight days to contact the cybercriminals before the stolen data is released.

SIAD Group ransomware attack

Ransomware gangs often list their victims on dark web leak sites, attempting to blackmail organizations into paying a ransom.

“Since SIAD Group is a major supplier of various industrial consumables, if the ransomware attacks halt their production and operations, it may lead to an inability to deliver the consumables used by their clients, which may lead to moderate disruptions in manufacturing, healthcare, and the energy sector, mainly in the EU,” Cybernews researchers said.

The gang releases data samples

At the beginning, it was difficult to determine the scope and implications of the alleged data breach, as the gang had not initially released any data sample with their post.

ADVERTISEMENT

After publishing this article, the ransomware gang posted screenshots showing samples of the stolen data.

Among the 18 screenshots were various internal documents, including:

  • Vendors' technical dossier submitted for engineering review,
  • Manufacturer Data Record documenting as‑built quality, inspections, and certifications for compliance and traceability.
  • IECEx Certificate of Conformity (CoC) — an international hazardous‑area compliance certificate
  • Welding dossier — a controlled quality and traceability package for specific pressure equipment within an Engineering, Procurement, and Construction (EPC) project.
  • Joint Identification Card, which shows and labels all the weld joints on the final discharge damper
  • General Arrangement drawing with inspector approval marks for installation
  • Inspection and Test Plan for the client’s gas plant

Additionally, the gang provided a list of folders that may be included in the stolen dataset. The folders’ titles suggest that they contain the SIAD Group’s operational and project data.

“These project files are likely taken from an employee computer or network-attached storage, so the data breach seems to be limited to only the confidentiality of their internal documents and contracts,” said our researchers who inspected the data samples.

“This breach likely would not impact the company's day-to-day operations. The data from the internal documents could, however, be used to craft phishing campaigns targeting both SIAD Group and their partners,” added researchers.

SIAD Group data breach

SIAD Group confirms the data breach

Cybernews has reached out to the company for clarification, and the company confirmed the data security incident.

According to the company’s statement, unauthorised access to a perimeter component of the IT system was detected. However, the spokesperson claims it was limited exclusively to SIAD Macchine Impianti.

ADVERTISEMENT

“The incident was promptly contained thanks to the intervention of our internal team; full operational continuity therefore continues to be guaranteed,” the spokesperson said in the statement.

The company stated that, at present, it has no evidence of any personal data being compromised, but continues monitoring the situation closely.

“The protection of information and the security of our stakeholders are an absolute priority for the SIAD Group. To this end, we take all necessary measures to ensure maximum protection of our systems and data,” the Group states.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

Who is the Everest Group?

The Everest gang, likely linked to Russia, first emerged on the scene in July 2021. The most disruptive attack conducted by the gang this year has affected the aviation sector.

The gang claimed a breach of Collins Aerospace and its MUSE check-in software, which is used for check-ins and passenger management.

The attack affected multiple major airports across Europe, causing travel chaos for several days. Later, the gang threatened to release passenger data from Dublin Airport in connection with the Collins Aerospace breach.

In September this year, the gang claimed BMW as a victim. It also claimed that it breached a subsidiary of Germany's second-largest bank, DZ Bank, and threatened to release stolen data. However, the bank denied that any attack took place.

ADVERTISEMENT
Has my data been leaked?
Check Now

In July, the group claimed Mailchimp, the popular email marketing platform, along with a cache of “internal company documents.” However, some security insiders referred to it as “breadcrumbs.”

Believed to be connected to the BlackByte ransomware group, on May 22nd, Everest set its sights on Coca-Cola’s Middle East division, eventually leaking the data of nearly 1000 employees from the company’s multiple distribution centers.

Seemingly part of a broader attack on Coca-Cola Europacific Partners, the world’s largest Coca-Cola bottler, the ransomware group reportedly stole an alleged 23 million records.

Just days after the attack on Coca-Cola, Everest claimed the prominent international private hospital Mediclinic, which has locations in the UAE, the Abu Dhabi Department of Culture and Tourism, and the Jordan Kuwait Bank (JKB).

The gang was also behind the October 2022 attack on AT&T, allegedly offering access to the entire AT&T corporate network, as well as the Radisson Country Inn and Suites hotel chain in fall 2024.

Updated on November 12th, 8:30 A.M GMT with the company's statement.

Unlock more exclusive Cybernews content on YouTube.

ADVERTISEMENT
Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked