Cyber Incident Victim: Fabricaciones Militares
Date:
Oct 2025
Location:
Argentina
Summary
Fabricaciones Militares suffered a ransomware attack carried out by the group MONTI, which claimed responsibility and exfiltrated over 300 gigabytes of data. The stolen material includes sensitive defense information such as plans for cutting‑edge weapons projects, including upgrades to the TAM 2IP main battle tank and development of a CH‑14 helicopter. The company, which supports the Villa María Military Powder and Explosives Factory, is undergoing a transition to a public limited company amid government plans for privatization, leaving over a thousand workers uncertain about their future after an auction of equipment and vehicles. The breach follows a series of hacks on government sites and has drawn attention from an Interpol warning about ransomware targeting defense contractors in neutral countries.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On March 1, 2025, specialized media outlets FalconFeeds.io and Cyber Press reported a cyberattack on the systems of Fabricaciones Militares, a state‑owned Argentine defense‑industry company. The outlets identified the incident as a ransomware attack in which the group known as MONTI claimed responsibility for encrypting files and exfiltrating data. According to the reports, the attackers stole more than 300 gigabytes of information from the company's networks. The announcement marked the first public disclosure of the breach, as official sources had maintained silence about the incident.
The stolen data were described as sensitive and included plans for cutting‑edge weapons projects, specifically the upgrade of the TAM 2IP main battle tank and the development of a CH‑14 helicopter. The volume of information exceeded 300 GB, encompassing technical documents, design schematics, and related project details. The timing of the attack aligned with an Interpol alert issued in 2024 that warned of increasing ransomware interest in defense contractors located in geopolitically neutral countries. The article notes that this circumstance suggests the operation may have been planned and executed by a group with considerable experience and resources.
Fabricaciones Militares was simultaneously undergoing a transition to become a public limited company, with the government of Javier Milei announcing its intention to privatize the entity. The company supports the Villa María Military Powder and Explosives Factory, and more than a thousand workers faced uncertainty after the auction of equipment and vehicles linked to the anticipated privatization by firms associated with NATO and the United States. In response to the breach, MONTI posted on its dark‑web portal criticizing the company's 'insufficient cooperation,' a statement interpreted by the reporting outlets as indicating that negotiations were underway to recover the stolen information. The incident followed a series of hacks at the end of 2024 that compromised the 'Mi Argentina' platform and around twenty official sites, underscoring pre‑existing weaknesses in public‑administration cybersecurity.