After Boeing declines to pay up, ransomware group leaks 45 GB of data

499 points16
cosmojg5 hours ago

As someone who works in the defense industry, I can assure you that 45 GB of unencrypted emails is next to worthless from a commercial standpoint and a total non-event from a national security standpoint. This is probably more of a threat to individual employees than it is to anybody else.

To put it another way, if this data had value, the ransomware group wouldn't be leaking it for free.

leftcenterright16 minutes ago

> To put it another way, if this data had value, the ransomware group wouldn't be leaking it for free.

This is entirely incorrect and just speculation.

Most likely reason for not paying up is that law enforcement (involved in this case as well) does not like it and have even been considering a ban on ransom payments. This in no way implies this data has no value, it is very probable this data contains credentials (Citrix appliances) and might allow future compromises unless Boeing improves their security posture.



IndySun2 hours ago

>As someone who works in the defense industry, I can assure you...

Defence industry is broad, though, perhaps you needed to be for security reasons. However, stating your job then saying individual people don't matter but commercial entities do may make you unfit for certain defence careers.

ChrisRR33 minutes ago

I wouldn't be so sure. It's like criminals who steal passwords. Sometimes they just want to bulk sell the passwords at a lower value rather than delving into the accounts for higher gain. Sometimes they just want rid.

In this case, I wouldn't be surprised if the group want to make it clear that they're serious for other high-value targets

visarga5 hours ago

Maybe we can get another email corpus like Enron for NLP from all of this.

fakedang3 hours ago

Still useful to find weak links as a foreign adversary.

npalli12 hours ago

For an external party, having access to the 45 GB is the easy part. Now, you will need to create a company and supplier base the size of Boeing to make any use of this :-)

est7 hours ago

> Now, you will need to create a company and supplier base the size of Boeing to make any use of this

China: hold my baijiu

paledot7 hours ago

Guaranteed they already have the data they want.

SR2Z6 hours ago

Then why hasn't COMAC produced a viable jetliner?

coldtea32 minutes ago

Because it takes time, not just data. To set up infrastrcuture, to do tests, to train, etc. Hell, it takes Boeing itself several decades to design a new aircraft model, even though they have done it several times before.

The US for example trying to get back some of its domestic manufacturing prowess, after decades which has outsourced it to China which has gotten really good at it, has a 10-20 year barrier to overcome before it can even start to get to the same level, and that's if all goes well and no stupid decisions are made. Which is not very likely.

dghlsakjg6 hours ago

Because having the plans for something and having capability, materials and funding to do it are two different things.

testrun5 hours ago
protomolecule3 hours ago
M3L0NM4N4 hours ago

If they had the money to, they could.

lallysingh10 hours ago

I can imagine this complicating any supplier contract negotiations. "you pay X $50/unit more for the same device, etc."

alexpotato9 hours ago

I remember taking a procurement class in graduate school(MBA).

One of the more interesting points of discussion was that when big companies negotiate purchase agreements for parts, the actual cost of the parts can be very transparent. The negotiation is generally about the actual markup e.g. "I think we should pay X% over cost.

Someone, logically, brought up: "What if the company is not willing to share the cost upfront?".

The professor responded: "Well, if it's a public company you can generally deduce a rough cost/part and use that as your starting point in the negotiation"

Student: "Well what if the company says we're wrong?"

Professor: "No problem: ask them what the correct number is. If they don't want to give it to you, ask them how you expect to have a long term partnership if you are not willing to talk openly and honestly about things like parts costs."

wordpad259 hours ago

That's kind of a softball, can easily be counted with "part costs vary a lot based on the market" or something like, regardless of cost we guarantee you this price point

No business wants to share it's internal costs, it's their prime competitive advantage

deaddodo5 hours ago

Their prime competitive advantage is their product and quality:cost ratio. For a product company, at least.

If your business' primary competitive advantage is that it gets ICs for 1c less/per thousand, your business is built on shaky foundations. One that you would still want to disclose during negotiations ("yeah, our product is the exact same quality as Widget Co; but we've found a supply for some internal parts at slightly below market value").

nullindividual7 hours ago

When your only business is the Lazy B, you’re going to cooperate.

aksss7 hours ago

If the deal is big enough, it’s absolutely on the table. These are “cost plus” contracts. See Walmart and the federal government for examples of consumers that require these terms.

Now, the federal government, particularly with drugs pricing, turns a blind eye towards the suppliers just jacking up the purported cost. E.g. Pharma:“we want to make $100 per pill, it costs us $5 to produce”. Fed: “we demand cost + 10%, because the people”. Pharma:”Fine, let’s say it costs $90 to produce.” Fed:”Where do I sign?”

Whereas Walmart would say to somebody like Nabisco, “GFY; if you want your product on our shelves, you’ll open your books and give us audited cost + 10%”.

deaddodo5 hours ago

The idea that someone could hide parts/manufacturing costs is ridiculous on its face. You, as a consumer, can get a general BOM for most any device. It's how we know that the original Beats headphones were "worth" 7-8usd.

Just as we as consumers know we pay extra to the company (even if the numbers aren't oblique), businesses know the same. It's about how much you're willing to spend, not how much they spent to build it.

traceroute662 hours ago
qwertox10 hours ago

It could be a real security issue, depending on the kind of data.

photochemsyn7 hours ago

"Security by obscurity alone is discouraged and not recommended by standards bodies."

qwertox13 minutes ago

I'm not sure you could really add some kind of protection to somewhat unprotected cables, hoses or pipes which must run behind the passenger compartment walls.

justinclift5 hours ago

This is Boeing we're talking about. They stopped being any kind of competent a few decades ago. :(

clnq7 hours ago

Ah, well so long as it's discouraged... I'm sure no one's critical systems would depend on it, right?

lolive2 hours ago

Airbus needed a corpus to train its LLM. Now they have.

Thervicarl2 hours ago

This should guide them if they want to modify existing airliners so they are better equipped to crash into the ground, 737 MAX style. No thanks.

KRAKRISMOTT2 hours ago

They just need to ask the British Prime Minister. His father in law's company is where those jobs get outsourced to for cheap.

pyuser5836 hours ago

If only .001% of the population of China bought a 747.

baz0011 hours ago

That wouldn't even help. It'd have to be part of the original supply chain and certification chain for anything to be allowed out of the country that cloned any parts.

panarky10 hours ago

If it doesn't matter that it's public, then why did Boeing try to keep it secret?

worthless-trash9 hours ago

Because they can't tell the future, its better to have the cards than not.

hrdwdmrbl12 hours ago


npalli11 hours ago

1. They probably already have it :-)

2. Imagine the sheer pain of duplicating every single process and spec to the minutest detail, nobody is flying an airplane that only 'works' 99.99% of the time. Probably easier to start from scratch and learn it. BTW, this was tried by Russia in the all through the '80s, they tried to steal all advanced tech. but by the time they duplicated the stolen technology, the next generation appeared. A losing battle.

ethbr110 hours ago

> nobody is flying an airplane that only 'works' 99.99% of the time

Might I introduce you to the Tupolev Tu-134?

throw0101b10 hours ago
xcdzvyn3 hours ago
sterlind4 hours ago

not to mention the Tu-144, aka the "Concordski":

though that one was so defective that even the Soviets didn't want to risk flying it. it could barely get into the air, and that'd be with several major faults and alarms blaring.

NL80710 hours ago

Kinda scary how many times I flew with those in 80s.

reactordev11 hours ago

Sounds a lot like software forks… cough

Not the ones that were forked due to abandonment, but the forks due to “irreconcilable differences”.

denimnerd4210 hours ago

or hadoop

thret10 hours ago

Boeing are a major defence contractor, I'm sure at least some of the information is secret.

newuser943039 hours ago
johann838410 hours ago

> nobody is flying an airplane that only 'works' 99.99% of the time

The 737 Max 8.

deaddodo5 hours ago

Already addressed in another thread:

bozhark11 hours ago

Already had it

toasted-subs10 hours ago

Yeah the margins in that enterprise are pretty small not something you can franchise.

ThinkBeat14 hours ago

My memory is not the greatest and simple Google searches are not helping right now.

Have there ever been massive problems from one of these leaks for the targeted company?

I seem to remember quite a lof of similar leaks over the past two years where the market and public shrug it off.

Clearly 45gig is a lot. I would think if there was a major horrible thing to find that Boeing would have paid the ransom (and told no one).

Will it have any real negative consequences for Boeing?

It is a black mark against them that they were vulnerable. I guess it is favorable point for many that they didn't pay.

Thorrez6 hours ago

When Sony was hacked by North Korea, the leaked payroll revealed women were paid less than men for the same job. I'm not sure what the ramifications of that leak were though.

jacekm12 hours ago

Competition will love to have a look at this data but obviously they won't announce it to the whole world that they are digging through the files. One day Airbus will build a new plane before Boeing or just win a lucrative contract and we will never know whether this happened naturally or because of the knowledge they got from this data.

Denvercoder912 hours ago

Airbus won't touch this data with a 90ft pole. Their lawyers will make sure of that, as even just downloading it opens them up to tons of lawsuits.

The ones looking at this will be China, Russia and their associates that don't care about (Western) law.

omnimus11 hours ago

Airbus is not a person but a company. Of course some of the employees will look at this data. They will all pretend that they dont but companies pay for industry secrets why would they stay away from free ones.

TillE10 hours ago

Random low-level employees looking at stuff out of curiosity won't have the power or even the motive to act on that data.

For higher-level people it really just isn't worth the risk, unless there's some incredibly valuable secret.

PedroBatista11 hours ago
aborsy10 hours ago

You can download it securely and anonymously. There is no way to find out.

Actually, the French government intelligence agency is famous for IP theft. This one is placed at their feet.

jjeaff8 hours ago

that doesn't matter. if an employee were to read it and perhaps glimpse some trade secret and include that, even inadvertently into a future product, that could open them up for litigation.

userinanother7 hours ago

Rumor has it airbus used to have a secure cabinet of Boeing analysis data that people would go reference once in a while in the 90s but I doubt that happens anymore

m00011 hours ago

For what you don't want your direct employees to do, you can always hire a contractor who will do the dirty job and give you the (in this case literal) TL;DR.

billfruit8 hours ago

Why wouldn't Airbus not look into it, Boeing has often acted agressive in getting US government to put tariffs on Airbus.

raverbashing11 hours ago

What would Airbus learn from it?

How to shoot yourself in the foot with bad management?

(On the other hand maybe some other company's board went through the docs, hmm)

vidarh2 hours ago

My personal mail is 10GB+ despite having moved providers in the last couple of years.

45GB can be a lot, or it can be a couple of people's worth of marketing presentations.

anitil12 hours ago

I think it would be a problem if people started digging, but I suspect most people just don't have the time, inclination, or willingness to take the legal risk.

gosub1008 hours ago

I bet the internal emails would be infinitely more valuable than design docs. let's see what the last link on the chain (of responsibility) actually said when they were told MCAS wasn't working. Let's hear how they worded the spin on the first batch of ~150 deaths to do damage control, and then how they reacted to the next. I'd fire up my popcorn maker for that!

chakintosh23 minutes ago

I wonder if anything here is related to the MCAS disasters

runeks1 hour ago

New security-through-obscurity tactic: make sure to automatically send lots of fake emails between employees, containing importantly-sounding words such as "classified", "secret" and "important" — with some identifying characteristic that makes the employees' email clients ignore them.

Then an email dump of 45 GB of useful information could instead be 4.5 TB (with 1% useful information), and wading through all the non-information to find something useful will not be worth the time of the adversary. The more important information you have in emails the more you need to increase the misinformation-to-information ratio.

kramerger14 hours ago

Is there anything "useful" in this dump?

The article mentions citrix and emails, but that could be anything

dmix14 hours ago

Useful to whom? Email dumps and other data could be useful for further breaches and attacks against personnel. I'm sure their infosec will be going through everything but they could miss stuff and personal information is exploitable for fraud even with awareness.

Govs like China and aircraft/defense competitors to Boeing probably got a goldmine if they didn't already have their own access. Boeing does plenty of NATSEC and space stuff.

steponlego12 hours ago

Now that it's out there somebody will doubtless download it and check it out eventually. Stuff that goes onto the Internet rarely goes away.

jacquesm12 hours ago

Except when you want to preserve it.

Gigablah9 hours ago

There should be a law for this. (Law as in Murphy’s law)

strangattractor16 hours ago

Didn't a ransomware gang just renege on a deal and release the data anyway. Seems like they are killing their own business model. If company X cannot depend on the gang delivering why pay in the first place. Boeing will have to pay for any fallout form the data breach - why have the added expense of paying the criminals for the privilege?

xeckr10 hours ago

This opens up an interesting (albeit highly unethical and illegal) strategy to combat ransomware, which could be implemented by state actors:

1. hack targets and hold their data for ransom

2. get the ransom and release the data anyway

This would largely discredit the actual ransomware gangs. A way to make this more ethical would be to have the data be insignificant or encrypted. The media will still have their story, and public perception will be changed.

An even better way would be to secretly coordinate with the "targets" of the hacks, turning the whole thing into a harmless spectacle that nevertheless decreases the incentive to hold data for ransom.

rdtsc2 hours ago

Very nice. Create something like a lemon market for ransomware. I like it.

It always felt funny how these criminal groups in this case have to project an image of trustworthiness and honesty.

M3L0NM4N4 hours ago

The latter could have been the case here and we would never know...

asdfman12314 hours ago

Tragedy of the commons. We need to establish a centralized judicial system to identify and shut down bad ransomware actors.

op00to13 hours ago

let's hold off on advocating for a New World Order just yet.

asdfman12310 hours ago

No, this would be a shadow government by ransomware companies to govern other ransomware companies. We can all get along!

barryrandall15 hours ago

They do that all the time. The first ransom is to get the decryption keys to the target's data, the second ransom is to prevent them from publishing the decrypted data.

CivBase15 hours ago

If they're going to publish the data publicly, what do you need decryption keys for? Seems like it's basically an all-or-nothing deal to me.

bretpiatt15 hours ago

Perspective as CEO of a backup and disaster recovery company...

A lot of folks now have ransomware protected backups for critical data so they aren't paying for decryption keys.

This has escalated to hack and release, the attackers are now exfiltrating data and threatening to make it public in addition to encrypting it on the host system.

sandworm10115 hours ago

>> If they're going to publish the data publivally, what do you need decryption keys for?

Because they will publish the bad stuff, the stuff you really don't want public, but likely withhold the boring stuff, the stuff the business really needs to function. And whatever they release might not be in the format that it was taken.

barryrandall14 hours ago

They only tell you about the second extortion attempt after the success of the first. As I understand it, each gang operates differently, but most are consistent in their approach (e.g. x will always double ransom, but y will never).

contravariant15 hours ago

I think that's why you ransom the decryption key first. If I understood correctly.

ceejayoz15 hours ago

I wonder if this counts as an ITAR violation on Boeing's part.

da_chicken14 hours ago

How do you figure that?

ceejayoz14 hours ago

There's almost certainly ITAR-subject data in a Boeing data dump of this size; I'm curious as to whether not paying a ransom counts as releasing it.

estiaan4 hours ago

I really hope this is not the case. Paying randsome is unethical, in some cases it’s also illegal. At best you’re funding a criminal organisation, at worst you’re in collaboration with a criminal organisation.

In the case of digital files there is absolutely no guarantee that they delete the file, it’s like paying someone to go back in time.

The act has been done, the data is stolen, your negligence and wrongdoing is in the past and the only ethical option is to not fund the bad actors who are actually primarily responsible.

tgsovlerkhgsel11 hours ago

Letting it get stolen in the first place might count, I highly doubt not paying the ransom counts.

hiharryhere14 hours ago

I doubt it. Here in Australia at least companies with large gov contracts are prevented by gov policy from paying ransoms.

tsujamin13 hours ago
ceejayoz14 hours ago
brookst14 hours ago

I think ITAR covers exporting, which is necessarily intentional. At least I'm not aware of any espionage victim also being subject to ITAR prosecution.

kevin_thibedeau11 hours ago

It also covers reexporting. You're still responsible for ITAR and EAR articles after they've been exported and the recipient wants to transfer them somewhere else.

annoyingnoob13 hours ago

In the case of ITAR, not exporting means limiting access to US persons only. I suspect this could be a violation, even if unintended.

dymk13 hours ago

Size of the dump means nothing, on one extreme it's a single 45GB video file of a security camera looking at nothing.

lesuorac14 hours ago

I'm more curious why failing to secure it doesn't count as a ITAR violation.

kenjackson10 hours ago

I think you need to do reasonable effort. Perfect security doesn’t exist.

gehwartzen5 hours ago

Out of curiosity how do you guys mentally interpret the data size when reading about a hack/leak story? 45GB? Do you think 10s of millions of text files? A few DVD rips? a server backup?

It seems so useless but is always portrayed as the "wow look at that number!" part of any leak/hack story

vidarh2 hours ago

4x my current inbox, accumulated over 2 years since I moved providers.

45GB and a a lot of it's just text. If it includes documents, it could be next to nothing.

riffraff3 hours ago

"three times my Gmail inbox accumulated in about 20 years"

hadlock4 hours ago

At one Very Corporate job I had, there was a file share that somehow had never been culled, had a bunch of coworkers (current and previous) vacation photos, even a couple episodes of seinfield and I think the movie Die Hard. This was pre-snowden and the ripped videos were very pre-snowden. This share was like 8 or 9gb. Two or three .ISOs from a POC (proof of concept) with a vendor could easily push it over 16gb. If they compromised the share the marketing department kept their 2006 era .wma files of the company team building activity from That One Time it might result in not a lot of actual text files. I've had my gmail account for almost as long as you've been able to have one (almost 19 years?) and I've only managed to accrue 17GB in that time.

offices14 minutes ago

Comparing my personal email account with my work email account, the latter has a lot more 'waste'. An email for every meeting, daily office grumblings, JIRA spam, CI spam, etc. And most of these also apply to aerospace engineers. 45 GB is nothing.

freedude13 hours ago

45GB of data could be like a dozen employees' or less Outlook PST files. For this to be astounding we would need to know the quality of the data. Otherwise it is a bunch of hype and hoopla.

anitil12 hours ago

I'm not sure about the legality and ethics of training models on stolen data, but for reference, but so far as I can tell the Enron email data set is about 1.5GB (much lower than I expected to be honest!).

And I believe some of the more interesting things found in that data set (outside of the fraud) were people cheating on their partners.

justsocrateasin12 hours ago

I do believe that 1.5GB is tarred and gzipped though, so it is a fair bit bigger. That's also supposedly half a million emails, so 45gb is quite a bit.

primax12 hours ago

Sure, but that was leaked in 2004. A very different time for email, and where attachments were generally smaller.

jmalicki11 hours ago

The Enron dataset was not leaked - it was made public by the US government as evidence from an investigation by the Federal Energy Regulatory Commission.

campbel13 hours ago

You better pay up or we'll delete all of Marge and Victors email backups!

justinclift5 hours ago

Could be the porn stash of the Boeing directors. That could make some of them pretty nervous. ;)

seventytwo6 hours ago

I was just gonna say, there’s probably single CFD simulation files that are larger than 45GB.

workfromspace2 hours ago
legitster15 hours ago

I struggle to see how this business model would work in the first place. They pay you and you pinky swear not to release it? All you are doing by negotiating is to buy the victim time to harden their systems.

This sounds liked a failed ransomware attack. They encrypted the systems - Boeing says "no thank you, we have backups". There were no valuable zero-days to sell to GRU, so give a last ditch offer to try to salvage something.

RandallBrown15 hours ago

> They pay you and you pinky swear not to release it?

Yes. If any of this information does end up getting leaked, it kills the credibility of the ransomware group and they'll never get paid again. Sort of mutually assured destruction.

Now of course, most people don't really trust criminals anyway so the business has a pretty strong bargaining position and I believe many of the ransoms are negotiated way down.

tanelpoder14 hours ago

Wouldn't it be easy to just pick a new name for the ransomware group then?

(or do we need eBay-like "seller ratings" and customer reviews for ransomware groups?)

Jaepa14 hours ago

From what I understand there's a market for ransomware negotiators, and reputation (and tooling) is very much a thing that affects settled price.

Understand: For the ransomer's point of view this is another monday, albeit one where a big fish walked away.

FirmwareBurner13 hours ago
LastTrain10 hours ago

I’m not doubting this - but can you provide anything to substantiate that reputable ransomeware negotiators are a thing? [edit - nm I googled it, it’s a thing]

red-iron-pine14 hours ago

Depends on what their SOP is. Attribution is hard but there are a lot of really, really smart people trying really hard to identify orgs by their TTPs.

You can rebrand as CaTBUTT, or Indrik Spider 2.0, or whatever, but if you're using some custom version of Mirai they'll eventually tag your M.O. and the threat intelligence briefings will reflect that.

And then no ransom.

tanelpoder14 hours ago

Didn't think of that, thank you.

Exuma14 hours ago
ceejayoz14 hours ago

A no-name ransomware group is less likely to be trusted to hold up their end of the bargain than one with an established reputation.

Didn't Silk Road have eBay-style ratings/reviews?

jeron14 hours ago
yieldcrv13 hours ago
barryrandall14 hours ago

They'd need to burn all their tools, techniques, and practices for this kind of rebrand to be successful.

adolph14 hours ago

5 star would hostage again

Superhost for my datas

echelon14 hours ago
tgsovlerkhgsel11 hours ago

It would, but publishing the data of someone who paid gives the ransomware gang almost nothing, and the downside would be to start as a no-name.

On the other hand, holding their side of the promise allows them to build a reputation, which makes it easier to get future victims to pay. Why would they leak the data if someone paid?

paulcole13 hours ago

My brother did this with lawn care and HVAC companies. The first business lesson he learned was never name your business after yourself. He was about 16 when he learned this and ever since it’s been like AAA Lawn Care or Aces HVAC until he gets so many negative reviews he can’t get more business.

frandroid13 hours ago
temporarara13 hours ago
dkjaudyeqooe14 hours ago

> it kills the credibility of the ransomware group

There are review sites for ransomware groups?

"honored promise not to disclose, didn't gloat or taunt, would pay again, 10/10"

arnvald13 hours ago

Not sure about review sites, but there are companies specializing in ransomware negotiations on behalf of the victims and they can advise not to pay a group that is known to release the data anyway

hot_gril13 hours ago

Either way, seems like something that a government or other actor could mess with, thus making it harder for hackers to profit.

legitster14 hours ago

Data ransoms have existed for a long time before "ransomware" was even really a thing - there's just never been a market for ransoms for the "stolen" data. Once it's out you can't put that genie back in the bottle.

The reason ransomware worked was you didn't have to trust the group long-term - just enough to give you a copy of your data back.

It's the difference between you making a copy of my car keys and stealing them. Yes, I will pay for "a" key back - I only have to trust you enough to hand it over.

mcmoor12 hours ago

But you don't only want your data back, you want the data disappear from circulation. While ransomware ensures the former transaction, it still in no way ensures the latter, making it still a dubious transaction.

mysterydip14 hours ago

Couldn't the ransomeware group just come back under another alias to clean their slate?

rtkwe14 hours ago

If any group does it it kills the credibility new entrants too so there's still incentives to not do it.

cjaybo14 hours ago
callalex14 hours ago

By that logic, illicit food and drugs wouldn’t have a problem of being cut with fillers. A tragedy of the commons doesn’t really reign in the behavior of criminal organizations.

neodymiumphish12 hours ago

Only if they completely rebuild their malware and infrastructure so that researchers can't correlate them together.

micromacrofoot14 hours ago

a clean slate also means rebuilding reputation

mvkel13 hours ago

Meh. They don't knowingly release it. But they could certainly continue to try to sell the data on the black market to competitors, etc, which the competitor would never disclose.

bastawhiz13 hours ago

> it kills the credibility of the ransomware group and they'll never get paid again

I don't buy it. There's nothing to stop the group from rebranding themselves. The company has no proof nobody else got a copy of the data. And the group could simply hang onto the data, extort a bunch of money from other companies, then start back at the beginning and demand even more (knowing that the data is worth _at least_ what was already paid for it).

sofixa13 hours ago

> I don't buy it. There's nothing to stop the group from rebranding themselves

Apart from the fact that nobody would pay them if they have no reputation.

raincole13 hours ago
tshaddox13 hours ago

Surely that can't be completely true. The reputation has to be bootstrapped somehow.

neodymiumphish12 hours ago

New groups can't demand as much as the next. Also most of the big groups are RaaS (Ransomware as a Service), meaning their affiliates get approval to operate using LockBit's name, infrastructure, and software.

If LockBit does something to taint their image in the media and among security organizations, then rebrands to avoid their negative history, forensics will still eventually tie their new name back to their old org, and victim's will have to decide whether they should trust that their data will be handled correctly after payment.

As for re-victimizing old organizations, there's almost zero chance of that working. Most data is only sensitive for a certain time frame, long enough that they can make the proper notifications, change credentials, etc.

Lastly, there still needs to be someone to download and abuse the data they leak. I've monitored ransomware torrents a few times and not observed any downloads completed over the course of a couple weeks following a data leak.

jowea14 hours ago

I wonder why they don't make into a recurring payment instead of a one time deal. Turn it into an iterated game theory game.

timeon14 hours ago


neodymiumphish12 hours ago

That's not what this means.

augustulus13 hours ago

more risk of exposure presumably

ibejoeb12 hours ago

> I believe many of the ransoms are negotiated way down.

LockBit just did a sort of collective bargaining with affiliate groups that resulted in guidance for setting initial ransom amounts and rules restricting discounts about 50%.

kspacewalk214 hours ago

>credibility of the ransomware group


waynesonfire14 hours ago

It's your naive comment that I find hilarious. it's a business like any other that puts food on peoples plates. in fact, a mature business with a deep and sophisticated industry. it benefits all participants when everyone behaves reliably and predictably. These aren't amateurs.

miohtama14 hours ago

I am sure there are discreet nation state buyers, like Russia and China, who are happily to use the information without causing an incident. Russia does not even need to ask, as most ransomware gangs operate under the blessing of Putin.

justsomehnguy13 hours ago

[citation needed]

At least for 'most'.

JohnFen14 hours ago

> it kills the credibility of the ransomware group

There are people who consider these groups credible?? The world really has gone insane.

neodymiumphish12 hours ago

Many of these groups have better bug bounty programs, SOPs, and organizationsla structure than your average company.

RandallBrown10 hours ago

"Credible" here means that they stick to their word.

willseth14 hours ago

You'd think that, but in practice these ransomware groups are pretty reliable, and actually many rasomees have remarked on how good the customer service is! Their ability to make money is dependent on them maintaining a reputation for being in the business for money, not lulz, and tmk the pinky swears are typically upheld.

jameson12 hours ago

> in practice these ransomware groups are pretty reliable

Hard to say...

You're effectively trusting the liar they wont lie again

Its possible they leak it to high profile customers without publicly announcing it

Business should make decision assuming the data will be leaked eventually regardless of random paid or not

Perhaps only thing business can assume is the data wont be publicly released in short amount of time

hnthrowaway031515 hours ago

I wouldn't be surprised if some ransomeware gangs are frontends of national (in)security agencies. They don't care about profits. Sure it's good to have some.

jasonwatkinspdx14 hours ago

It's an open secret that FSB et all work with ransomware gangs. As long as they don't target Russian companies they don't care what they do otherwise. So it's not so much they're a front as they're in a sort of quasi officially sanctioned middle ground.

sofixa13 hours ago

As an example, the DarkSide malware (the one used against the Colonial Pipeline) explicitly checks if it's running on a computer in the CIS (Russia+countries nostalgic of the Soviet Union / without a better choice) and exits.

prmoustache4 hours ago

Well, this doesn't mean they work for FSB but rather they want to stay away from them.

If I was based in a country I would not want to target those that can more easily get me into jail and/or kill me.

I have no idea if FSB work for them, this is more speculation than open secret, but they certainly do tolerate them and see them in a good eye as long as they target western companies and agencies. The enemy of my enemies is my friend.

jasonwatkinspdx9 hours ago

Oh interesting, I'd not heard that. Thanks.

hnthrowaway031514 hours ago

Yeah. I'm also thinking about ways to "promote" malware without getting impacted.

Let's say some three digit agencies create sort of malware distribution forums in the darknet. They make sure to only broadcast to people who wants to play with malwares so the net catches the "bad guys" mostly, except for a few curious researchers or journalists maybe. Then they start to share recent generarion malwares they created. They don't need to distribute them by themselves because they already have the CCC servers. Some malware gangs would eventually be the frontend and start the distribution.

In this way you not only distribute the malwares without getting impacted, you also get to know the gangs so whenever you want to catch a few fishes you just pull the net.

Once the darknet forum dies out or they need to wipe the records, they would just leave and create a new one.

Just my wild thought.

r00fus14 hours ago

Digital privateers

sfink13 hours ago


kramerger14 hours ago

Well, every time Boeing tried to bribe a country, someone leaked emails and audio recordings from their secret meetings.

Usually we blame the Chinese, but in this case I think its a toss between CIA and NSA.

(I think I'm on some kind of list now)

Edit: I am an idiot. I was thinking of Airbus, see @perihelions comment below

perihelions14 hours ago

Which incident are you referring to? The NSA took credit for hacking Airbus, but that's Boeing's foreign competitor—not Boeing.

- "According to a European Parliament report, published in 2001, America's National Security Agency (NSA) intercepted faxes and phone calls between Airbus, Saudi Arabian Airlines and the Saudi government in early 1994. The NSA found that Airbus agents were offering bribes to a Saudi official to secure a lion's share for Airbus in modernising Saudi Arabian Airlines' fleet. The planes were in a $6 billion deal that Edouard Balladur, France's then prime minister, had hoped to clinch on a visit to see King Fahd in January 1994. He went home empty-handed."

- "James Woolsey, then director of the Central Intelligence Agency, recounted in a newspaper article in 2000 how the American government typically reacted to intelligence of this sort. “When we have caught you [Europeans]...we go to the government you're bribing and tell its officials that we don't take kindly to such corruption,” he wrote. Apparently this (and a direct sales pitch from Bill Clinton to King Fahd) swung the aircraft part of the deal Boeing's and McDonnell Douglas's way."

kramerger14 hours ago

You are correct. I think my brain was on a break while I was writing that :)

emodendroket14 hours ago

Why exactly would the CIA or NSA want to do that? Boeing works so closely with the security apparatus they're practically an unofficial member so I don't understand what the motivation would be.

hnthrowaway031513 hours ago
bee_rider14 hours ago

I imagine at least some (probably many) of the engineers who work for Boeing have a basically lawful-good/lawful-neutral temperament and are just disgusted by things like bribery. Maybe one of the parties in the conversation leaked it, no intelligence agencies needed.

beambot14 hours ago

> How North Korea’s Hacker Army Stole $3 Billion in Crypto, Funding Nuclear Program

nimih13 hours ago

> They don't care about profits.

This isn't really true in general: intelligence agencies often want access to funds with less/no oversight from (or to skirt controls enacted by) other parts of the government. As an example, that was the dynamic at the basis of the Iran-Contra affair in the US.

jowea14 hours ago

For North Korea sure quite believable. Some links existing also sound likely for the Russian gangs.

jasonfarnon13 hours ago

What benefit is it to the ransomware group to release the data? They may be sloppy or careless with their data (like their victims) but I don't see a for-profit/non-ideological ransom group reneging and intentionally leaking the data. And plenty of reasons eg repeat actors to do their best not to.

Actually I'm often surprised that many ransomers/hostage-takers go through with their threats when they don't get their demands. The only reason I can see them doing it is if reputation matters to them for future negotiations. more than the risks from the greater liabilities they incur by going through with the threats.

michaelt13 hours ago

The benefit would be getting paid a second time, by extracting a second ransom.

It doesn't have to be the whole group; perhaps one guy decides to branch out on his own, and grabs the data on his way out the door.

jasonfarnon13 hours ago

You mean "yeah we were lying yesterday about this same thing, but we're telling the truth right now" type of negotiation? Has that ever worked for ransoms (of any kind) anywhere?

NoPicklez12 hours ago

It's a business model that has certainly been working. If your business has been crippled due to your systems having been encrypted then you do often consider paying the ransom.

However if you have adequate backup and recovery mechanisms in place then you're not the best to prey on.

It's a business model that works until the majority of targets have appropriate backup and recovery processes.

emodendroket14 hours ago

You could say the same about any "ransom"-based business, really. Kidnappers could decline to release the kidnapped person after they get their money.

JohnFen14 hours ago

And they often do.

emodendroket12 hours ago

Yet it is not unusual for the ransoms to be paid.

matthewdgreen14 hours ago

That’s why you secret share the data across six Intel SGX instances using software that only reveals the plaintext if it doesn’t receive a blockchain-based payment after 30 days. (No, nobody does this. But they could!)

adriancr13 hours ago

why would anyone trust the data is only on those instances?

matthewdgreen13 hours ago

Because you write your ransomware to encrypt to a hardcoded set of public keys that include an SGX attestation from those instances. This can be verified forensically and the unencrypted plaintext never leaves the victim organization.

adriancr13 hours ago
crotchfire13 hours ago
pcurve9 hours ago

The market seems to think this is inconsequential.

1-613 hours ago

The moment a company pays good money, that legitimizes the hacking group and emboldens them to keep going. You can’t trust that they’ll not leak even after they get paid.

2OEH8eoCRo015 hours ago

Being a Russian-linked cyber gang, anything sensitive in there should be treated as public information now anyway. Why bother paying then?

monkeydust4 hours ago

LLM training fodder?

worthless-trash9 hours ago

I have grown respect for boeing after not paying this.

ars15 hours ago

The US should make it illegal to pay ransom, with a penalty of prison for anyone paying a ransom or authorizing payment.

The purpose of the law is that now ransomware gangs will be less likely to target US companies because companies are unlikely to risk paying them.

ironmagma14 hours ago

It's maybe already illegal[1][2].

That doesn't stop companies from paying for it. If you're a hospital, you're weighing breaking the letter of the law with killing a bunch of people.



gregwebs14 hours ago

Paying ransomware is not in any way illegal in the United States. Making payments to sanctioned entities (ransomware or otherwise) is. If companies go to their insurer, etc, they will probably get help to do the compliance to check to see if the payment requested would go to an OFAC sanctioned entity or not.

bee_rider14 hours ago

Is the duty to make sure you know you aren’t paying to a sanctioned entity, or is it to not know whether or not you are?

Given the sources of many of these attacks, one should reasonably assume they are likely to be doing business with a sanctioned entity, right?

gregwebs12 hours ago

There isn't necessarily a way to know who you are actually dealing with. Maybe in some cases there might be some information to figure this out to some degree. But normally the only information that is certain is where the payment is going. Which is just a bitcoin wallet address.

bee_rider14 hours ago

If you aren’t a hospital, you are helping the ransomware gangs amortize the cost of their R&D. Thus directly helping those who hit hospitals, and, as a result, contributing to those deaths.

phpisthebest14 hours ago

No I did not pay a ransom, I paid a 7 figure consulting fee to a cyber security company not based in the US, who somehow magically resolved the issue for us...

ploum14 hours ago

— If you don’t give me 10k$, I will tell the authorities that you have paid a ransom of 100k$. — Ok, here’s the money. — Thanks. If you don’t give me 10k$ more, I will tell the authorities about our previous deal.

M3L0NM4N4 hours ago

That's stupid. If you don't actually pay them, there would be no evidence of you paying them. Their case would hold absolutely no water.

smith701814 hours ago

There are instances where that doesn't make sense. For example, there was that plastic surgery office that got hacked a couple weeks ago. I get why they think it's better to at least try to prevent such private information from getting out. making it illegal to pay the ransom means that every patients' medical history and pre/post op photos would be leaked. That's a nightmare.

m3kw98 hours ago

lol no sht man, pay up and they’d still sell it behind their backs. Someone always have a copy

augustulus13 hours ago

we should be careful making the assumption that this is all the data they exfiltrated. this could easily just be the first tranche to prove that they’re serious

newuser943039 hours ago

The bigger problem for Boeing will be that they probably have fraud evidence in the 45G.

Spk-17kek10 hours ago

What if it is false information to harm opportunists?

gist12 hours ago

A writer contacted me about my thoughts (unrelated and separate from this event) about how the disclosure of vulnerabilities and methods of hacking (of all types and in almost all situations) aids bad actors vs. helps companies protect their systems (by knowing vulnerabilities that are often so obscure they would reasonably never be exploited).

Point is what is the upside of disclosure (I think) vs. the downside. Nobody is suggesting no disclosure but the writer seemed to think that the security industrial complex has lawmakers believing that everything should be open and there should be constant white hat hacking which seems to feed and benefit the security industry.

I am curious if anyone has a thought on this topic.

carabiner14 hours ago

When Boeing can't match the salaries of Seattle tech companies, this is what happens.

klyrs14 hours ago

Speaking as a native Seattleite with multiple friends and family at the company, Boeing stopped being a Seattle company in 1997.

jmbwell14 hours ago

TIL: Although Boeing still has manufacturing facilities in the Seattle area, they moved their HQ from Seattle to Chicago in 1997.

klyrs14 hours ago

To rephrase: As McDonnell Douglas was crumpling under the ineptitude of its management, Boeing merged with McDonnell Douglas, keeping Boeing's name and McDonnell Douglas's management.

massysett14 hours ago
carabiner14 hours ago

Moved HQ from Chicago to DC area last year.

Cacti8 hours ago

Man, that was 25 years ago. Time to move on.

1-613 hours ago

Sounds like the future of Tesla / SpacefleetX

kh4915 hours ago

The never ending cost of low quality outsourced digital transformation. Pathetic how many large corps have been hit. And tax payer has to foot the ever growing bill to investigate and defend these useless orgs.

barbazoo14 hours ago

Are there any signs to suggest that this was being made possible by "low quality outsourced" work?

newswasboring15 hours ago

This attack originated from an acquired company by Boeing. No outsourced party seems to be involved. Am I missing something in the article?

hnthrowaway031515 hours ago

Basically every large, traditional business is relying on some offshore gig for certain key technical responsibilities. They probably don't consider it the real key as they are cost centers, but hey ransomewares are reminding them.

It's not even just offshore. Some onshore consultancies are really of agasp quality.

pid-115 hours ago

Is there any case of a company suffering significant financial backlash due ransomware attacks?

My current impression is: consumers don't care, regulators don't care... so why should CEOs care?

rileyphone14 hours ago

Customers care if your business is in security, especially b2b. Though the biggest downstream effects are probably from security tightening making it more difficult to get anything done.

Source: my company was hit a couple months ago

punkybr3wster14 hours ago

The MGM ransomware supposedly cost them $100mil

whatever114 hours ago

Is it a tax write off ?

hnthrowaway031514 hours ago

Yeah you have a good point.

dimitrios114 hours ago

I don't think in the case of airlines we have the option to care. We are just kind of stuck with whatever the government-backed airline oligarchy chooses to do. The airlines would be the ones to have to care for it to matter. When the 737-MAX crashes occurred many frequent travelers, including myself, flat out refused to fly 737-MAX even after we were given assurances by the regulatory bodies. But after a while it just didn't matter. Life goes on, your company will book you on the plane that's the cheapest or part of their plan or whatnot, and you just get stuck being a cog in the wheel again.

stillwithit14 hours ago

> And tax payer has to foot the ever growing bill…

You might be put at ease to read all that debt is a hallucination humanity has no obligation to pay.

Also after decades in IT hearing about one lapse in security after another (including entire iron mountain trucks being robbed back in the day) yet society seems capable of shrugging them off, it’s hard to take the anxiety seriously.

It’s possible the CEOs are not the only people in IT inflating the value of their contributions and ideas.

CatWChainsaw14 hours ago

"digital transformation" was such a hot buzzword too, and yet the biggest market players don't want to spend enough to ensure it goes well, apparently.

SahAssar13 hours ago

Can we stop using disk size as a measure of leaked data?

There are bluray movies larger than this leak and there are files smaller than 10kb a lot more critical in most businesses.

It'd be nice if there was some sort of scale for data leaks like (just spitballing here):

1. Leak destroys all core company functions (crypto-exchange leaks all wallet keys, CA leaks all root keys and becomes banned from all trust stores, etc.)

2. Leak causes regulatory issues criminal enough to shut down company

3. Leak severely hinders core company functions (deploy keys for a cloud computing SaaS are deleted which stops all new deployments until all infra is reconfigured)

4. Leak severely looses company competitive advantages (new products leak that are replicable by competitors)

5. Leak causes severe PR disaster

6. Leak shows embarrassing internal company communication without any of the above

dylan60413 hours ago

Or at least say what the 45GB (for this example) of data compromises. As you say, if it were video files, that would add up pretty quick, but if it were 45GB of emails, then that's a hellalotuvdata. That would be the equivalent of a hostile law firm dumping a truck load of banker boxes on a smaller law firm to bury the lede.

Kind of like saying I have 10. 10 what? As my math/science teachers always said, don't forget to include your units.

msmith13 hours ago

This sounds like how we use a CVSS score to gauge the severity of software vulnerabilities.

Maybe the world needs a standardized place to catalog and rank all the data breaches that have been disclosed.

tyingq13 hours ago

Would be nice, but there would quite a lot of analysis needed to be able to determine any of that. Which you can't start until the file is public.

SahAssar13 hours ago

Sure, but instead of saying "Boeing leaked 45GB" it would say "Boeing leaked files of undetermined severity".

The disk size does not matter, and when the severity was actually determined it would show up in the headlines as "Boeing leak determined to be a level 3 leak" instead of just being "That boeing leak 5 months ago was kinda bad".

Either way, listing the size says very little.

xcv12312 hours ago

These are journalists publishing breaking news. They are not autistic IT professionals.

Relevant quote from the article: "I haven’t gone over the whole data set but Boeing emails and a few others stand out as useful for those with malicious intent"

SahAssar12 hours ago
vinaypai12 hours ago

> They are not autistic IT professionals.

What does autism have to do with having the professional integrity to understand what it is you're writing about before publishing sensational claims?

cvoss13 hours ago

Well, first, I'd expect Boeing already had some idea of the scope of what was compromised simply by investigating their own systems. After all, they knew enough to declare there was no impact on flight safety.

And second, even if a company has no idea of the scope, the hackers would somehow want to prove at least privately what the scope was, else their threat is not as manipulative as it could be. On the other hand, the hackers can't credibly bluff and inflate the scope too far beyond reality because the company can just say "prove it or I don't believe you and I won't pay." And the hackers want to get paid.

It's a business deal after all. A really crappy one involving criminals. But at the end of the day, the company must have already assessed the value of the leak in order to reach a decision.

tyingq12 hours ago

>I'd expect Boeing already had some idea of the scope of what was compromised

I've seen companies say this sort of thing with high confidence. But that seems hard to me, assuming some level of administrative access was breached.

rebolek13 hours ago

I believe that Boeing already did than analysis and determined it’s #6.

tyingq12 hours ago

At this point, I think there's quite a lot of "breach fatigue" now where the general public doesn't care about these stories. It's just "oh, I guess I get another year of free identity theft services".

FridgeSeal13 hours ago

Because half the time companies can’t be trusted to even admit there’s a leak, let alone the severity of it.

Groups that leak are likely to want to inflate the severity of the leak to ensure they get paid.

The larger a leak, the higher the probability there’s sensitive information in there, and the better opportunities/more time attackers had to exfiltrate it.

SahAssar12 hours ago

Agreed, but journalists need a better way to communicate. Saying 45GB sounds like a lot of emails to a technical person and nothing to someone who bought a bargain-bin 64GB USB memory stick the other day and filled it with a single HD movie.

The info says nothing, it conveys nothing. Even skipping the size and saying it leaked "emails" says more in the headline than the size.

A single video recording of an all-hands meeting could fill that size but it could also be emails containing the keys for accessing a large part of DOD.

fishtacos12 hours ago

I was working (very recently, during the 5000+ companies that were hacked via some what I presume were zero day hacks) for an MSP. 600 GB of data were exfiltrated from a law firm with several terabytes of storage of customer data kept due to data retention laws.

They asked for almost a million USD. FBI got involved, everything was restored from backups (thankfully, a month loss of digitalized work, and absolutely nothing was given to the ransomware group.

To your point, there are severe regulatory issues that have to be addressed due to the exfiltration. I no longer work for them, so I don't know the extent of their cost in 1. notifying affected clients and 2. providing credit protection coverage due to leaking of personal data.

ssss1113 hours ago

You’re describing a risk matrix. What level of risk does this data hold for the company.

I think that is a good way of measuring it.

neodymiumphish11 hours ago

They leak this stuff on their Tor leak site. Downloading 45GB from LockBit's site takes something like a week. Then you have to review the contents to determine its value.

No news org is going to go through that effort.

ForkMeOnTinder12 hours ago

For me the disk size is interesting because it tells me how long I'd have to wait if I wanted to download the leak myself, which I do from time to time. (not downloading this one though)

_visgean12 hours ago

This happened now, you can't assess right now any of these statements.

porompompero13 hours ago

Nice, it sounds to me similar to the earthquake Richter scale.

phasnox12 hours ago

"After Boeing declines to pay up, ransomware group releases DEFCON 3 leak"

Could be the alternative headline.

UrineSqueegee13 hours ago


incahoots13 hours ago

I'm at an en-passe here, on the one hand I think Boeing sucks as it's primary business is now hyper focused for defense purposes. On the other, ransomware generally hurts companies and municipalities that generally don't deserve it.

Boeing, Lockheed Martin, Facebook, etc...deserve it

zogrodea3 hours ago

Thank you for making this comment. I completely agree that Boeing and Lockheed suck. They are some of the most immoral companies in the world and I'm happy for any damage done to them, but I didn't see anyone else comment their dislike of these companies in this thread which concerned me.

verandaguy13 hours ago

Nit: it’s an impasse, not an en-passe.

justrealist13 hours ago

> Boeing sucks as it's primary business is now hyper focused for defense purposes

This is a childish 2000s take. The world is rougher, Pax Americana is over, we need effective defense contractors because the world is full of assholes. Grow up.

phpisthebest12 hours ago

No this is a very 2023 take, everything has to be looked at from the lens of the Oppressor vs oppressed narrative, and since America, the great satan, is always the "oppressor", America is always bad and must be opposed

Any company that helps support America is also bad and most be opposed

Any person that that does not view America as bad is a bigot alt-right extremist and must be opposed

That is the state of politics for 2023, and anyone born after the year 1990 or so

mach513 hours ago

its rougher because of america, not in spite of it. its a self-reinforcing feedback loop. implying you are the grown up in the room because you are 'realist' about this or whatever is a classic dimwit take.

cscurmudgeon12 hours ago

Yep, so true. Before 1776 there were no wars and the world was deaf due to sound overload from globally synchronized Khumbaya singing.

justrealist12 hours ago

Let me guess, Russia invaded Ukraine to eradicate the US biolabs breeding nazi GMO mosquitos.

mach511 hours ago

no and also i just noticed you have “realist” in your username, i didn’t even do that on purpose, lmao bozo

whatever114 hours ago

Like how can one download so many files from a company network and no alarm is set off ? What do the useless IT departments set up? Just employee spyware ?

jstarfish13 hours ago

Sadly, this is pretty routine for us (not Boeing). Every goddamn day we have somebody plugging in a USB stick and copying 1-20 GB of data to it. We see similar volumes "accidentally" uploaded to iCloud whenever someone syncs their work laptop to their personal iCloud account.

We watch it happen. We have the tools to stop it. But we're not empowered to use them, for the exact same reasons that led to Equifax's fuckup-- we're not allowed to do anything that might impact production/pursuit of new revenue.

Lately, I'm not convinced this is even the "wrong" approach. Espionage was not invented alongside the Internet. If we build a Thing and it's the only Thing we sell, data concerning it will inevitably be stolen by someone in some way. But if we iterate on it fast enough, the value of older versions leaked diminishes. We're in the market of building and selling a moving target.

It also creates an inflated volume of data. You can't just break in, grab "" and run like hell-- you have to exfiltrate a fuckton of data, make sense of it, and carve something usable from it. Like, checking binaries into a git repo makes the size bloom, but it doesn't add a proportionate amount of "value" to stealing that repo. It's padded with drafts and garbage.

cryptonector13 hours ago

You need to disallow all USB devices not on an approved list, which must all be keyboards and mice and nothing more.

lokar13 hours ago

I worked somewhere that filled all the usb ports with epoxy. They maintained a large stock of ps/2 keyboards and mice.

JoblessWonder14 hours ago

I mean, depending on the data type... 45GB isn't really all that much. They probably have 45GB individual CAD files...

Now, if it is 2,000,000 text files totaling 25gb, then that is harder to explain away.

(I just read the article and saw that it deals with a vendor we use daily... so... great news.)

bunabhucan14 hours ago

I remember an engineer telling me the physical drawings for the 747 weighed ten times as much as the plane itself.

Invictus013 hours ago

1000 sheets of paper weighs 10 lbs, the 747 weighs 910,000 lbs, so there were 91 million sheets of paper describing the 747? Does not seem accurate

38321003thrw13 hours ago
avar13 hours ago
joemi12 hours ago

If you adjust the size of the paper, it can be true no matter how many or few parts there are.

GartzenDeHaes14 hours ago

Let's say you have 6TB a day going through your perimeter firewall. It's kind of hard to pick out a 40GB stream(s) on HTTPS going to some US cloud provider.

barryrandall13 hours ago

> Like how can one download so many files from a company network and no alarm is set off ?

Slowly, hidden among legitimate traffic, and indirectly. For example, most companies don't notice 100 kb/sec increases in DNS traffic, slight increases in web server image sizes, or changes to server MOTDs.

demondemidi13 hours ago

I just had to download a 69 GB database to my laptop of CAD design files (mostly libraries). I'm glad I have 1 Gbit download speeds, but peers aren't so lucky. Granted, if IT saw remote employees downloading TBs of data it should really raise red flags.

ajcp14 hours ago

If the FileShare server itself was compromised one could mount it in a way that wouldn't show leakage, or just image the thing and bork the original.

Otherwise you could have a crawler that just traverses the FileShare and makes duplicates at a rate slower than what would look like BAU traffic. Given that most enterprise network shares host a TON of legitimate batch dump/upload file traffic it might be easy to skate by.

lgeorget14 hours ago

We don't know how and over how much time the data was exfiltrated.

cyrnel13 hours ago

So many of the security monitoring tools that purport to detect things like that only work if the attacker is brainless. Modern networks are complex enough where a clever attacker (like a professional ransomware gang) can make malicious traffic look like any other traffic.

Unless this was just a public S3 bucket, there was probably some lateral movement involved, and I'd say time/money would be better spent reducing that particular risk in the future.

extheat7 hours ago

The best way to mitigate attacks like this is simple: don't hold the data in the first place. Beyond that, encrypting and limiting who has access to what, and logging who opens what when makes it much harder for attacks like these to go under the radar. Obviously, not every company is Google and having super sophisticated security practices is both hard to do from an engineering standpoint (requires lots of infra) _and_ requires staff to have a security focused mindset. This is not something a lot of places have, not even tech companies by trade. The cost benefit analysis isn't high, so you end up with orgs that do things akin to dumping all corporate code into one Github account and then wonder how things went wrong when something bad happens.

Boeing Co, as a government contractor being hacked is obviously more concerning than a breach at $x company. It's a shame. I'd say this is a learning opportunity, but it likely won't be. Onto the next round of "cybersecurity" speak...