American aviation and aerospace giant Boeing is investigating a cyber attack claimed by the Russian LockBit ransomware group.
On October 27, 2023, the cybercrime gang added Boeing to the growing list of compromised companies, giving it six days to pay the ransom or have its stolen data leaked online.
“We are aware of a cyber incident impacting elements of our parts and distribution business. This issue does not affect flight safety,” a Boeing spokesperson said, adding that the company was “assessing this claim” by LockBit.
The Boeing services portal remained inaccessible due to “technical issues” potentially caused by a ransomware attack or the company pulling down services to prevent further exploitation. However, the aerospace giant’s distribution website seems unaffected.
“We are actively investigating the incident and coordinating with law enforcement and regulatory authorities. We are notifying our customers and suppliers,” Boeing said.
Boeing’s customers include American and international airlines, the US Department of Defense, and NASA. The company employs over 140,000 in over 65 countries and reported annual revenue of over $66 billion in 2022.
LockBit ransomware says Boeing’s cyber attack leaked significant data
The LockBit ransomware gang claims it exploited a zero-day vulnerability and threatened to leak stolen documents unless Boeing pays the ransom by November 2.
“A tremendous amount of sensitive data was exfiltrated and ready to be published if Boeing do not contact within the deadline,” the LockBit ransomware gang warned.
However, the gang declined to provide samples of Boeing’s data, claiming it was protecting the company.
“For now we will not send lists or samples to protect the company BUT we will not keep it like that until the deadline,” said Lockbit.
Additionally, the ransomware gang removed Boeing from the data leak site, suggesting that negotiations were underway.
Removing the company from the data leak site minimizes the reputational damage caused by the cyber attack should the company choose to pay, paving the way for ransom negotiations.
However, VX underground reported that the LockBit ransomware gang had not contacted Boeing’s representatives, citing the group’s administrative staff. The group also refused to “disclose any information,” including the amount or type of data stolen or the zero-day vulnerability exploited.
Such secrecy is highly uncharacteristic of a cybercrime gang that thrives on “name and shame” tactics. VX-underground also highlighted the short deadline—six days instead of the usual ten days given to other victims.
Meanwhile, Boeing has confirmed the cyber attack but declined to comment on whether it has received LockBit’s ransom demands.
Although paying a ransom could save Boeing’s face, it hardly prevents LockBit ransomware from leaking corporate secrets to adversaries and competitors or selling personal information to other cybercriminals.
“Attackers targeting large, global brands like Boeing, in this case through exploiting a zero-day vulnerability, are not only interested in money from ransoms but also the valuable data held in the compromised network,” said James Dyer, Threat Intelligence Lead at Egress.
With Boeing involved in advanced defense and space projects, the cyber attack could raise eyebrows at the Pentagon and Washington D.C., potentially jeopardizing the trusted relationship.
Aviation industry targeted by cyber attacks
Boeing has suffered numerous cyber attacks in the past. In November 2022, Boeing’s subsidiary Jeppesen suffered a cyber attack that disrupted flight planning. In 2018, the company was the victim of the WannaCry virus.
Similarly, the aviation industry is a lucrative target for cyber attacks, with ransomware being one of the biggest threats. In September 2023, Air Canada confirmed a cyber attack that leaked customer and employee information.
LockBit ransomware remains one of the most prolific cybercrime groups, having victimized over 1,800 organizations worldwide and earned over $90 million since 2019.
The group operates a ransomware-as-a-service (RaaS) business, paying commissions to affiliates after successful ransom payments. It primarily targets education, financial services, government services, food and agriculture, energy, healthcare, transport, and manufacturing sectors.
“Since LockBit operates under a RaaS model, there isn’t a standard intrusion playbook used by affiliates,” said Ben Forster, Senior Director of Product at AttackIQ. “Threat actors will leverage a wide variety of Tactics, Techniques, and Procedures (TTPs) in the initial stages of the attack.”