The Adrastea threat actor group announced a data breach from MBDA, a European missile manufacturer having ties to NATO, back in July.
At the time, the company promptly refuted the claims, saying that while some files were stolen, MBDA was not hacked, and its security systems remained intact. Further, the missile maker said the data made available online was “neither classified data nor sensitive.”
Security researchers at CloudSEK have now written a new advisory about the alleged hacking campaign against MBDA.
Published on Sunday, the technical write-up says CloudSEK’s researchers were able to obtain and analyze the password-protected ZIP file containing the samples for the data breach.
“The password to unlock the file was mentioned in the post shared by the actor,” the advisory reads. “The ZIP file contained two folders.”
According to the security experts, the folder included files detailing the confidential personally identifiable information (PII) of MBDA’s employees, alongside multiple standard operating procedures (SOPs) underlying the requirements for NATO’s Counter Intelligence to avert threats related to Terrorism, Espionage, Sabotage and Subversion (TESS).
“The SOPs identify NATO collection and plan functions, responsibilities, as well as procedures used in support of NATO operations and exercises,” CloudSEK explained. “The SOPs also include all activities of the Intelligence Requirement Management and Collection Management (IRM & CM) process that results in the effective and efficient execution of the intelligence cycle.”
The obtained files also reportedly included internal sketches of cabling diagrams for missile systems, electrical schema diagrams and documentation of activities tying the MBDA to the Ministry of Defence of the European Union.
At the same time, the cybersecurity company clarified that the reputation of Adrastea as a threat actor is currently low, as multiple concerns and complaints were recorded in the dark web forums where the hacker posted the alleged MBDA information.
Further, this is the group’s first recorded activity, so it is difficult to say whether or not the information posted is legitimate.
The CloudSEK advisory comes weeks after the company published a separate document saying someone allegedly hacked the Swachhata Platform in India and stole 16 million user records.