Cyber Incident Victim: Zambon
Date:
Apr 2021
Location:
Italy
Summary
An Italian pharmaceutical company experienced a cyberattack that forced the precautionary shutdown of a production plant employing 217 workers, halting operations for five days while systems were secured. The Babuk ransomware group claimed responsibility, stating they infiltrated the network over seven months, exfiltrated approximately 10GB of data, and threatened public release unless contacted, with some information already leaked. The incident was contained without further disruption after isolation and remediation efforts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around April 29, 2021, Italian pharmaceutical company Zambon experienced a cyber attack that prompted an immediate operational shutdown at its Vicenza manufacturing plant, which employed 217 individuals. The company identified the intrusion and swiftly isolated it from its information systems as a containment measure. As a precautionary response to the incident, Zambon suspended all activities at the affected facility. The production halt lasted five days while the organization’s IT department conducted investigations and implemented corrective actions to resolve the attack. No additional disruptions were reported following the containment and restoration efforts.
The threat actor group Babuk claimed responsibility for the attack, alleging they had maintained unauthorized access to Zambon’s network for approximately seven months prior to detection. Babuk asserted they had created complete replicas of Zambon’s servers and exfiltrated roughly 10 GB of data from the domain zambongroup.com, which redirects to zambon.com. The group issued a public extortion demand, warning Zambon to establish contact or face the release of stolen data. A portion of the exfiltrated information was subsequently published in a data dump. The operational suspension at the Vicenza plant represented a direct consequence of the incident, though Zambon confirmed no further escalation occurred after systems were secured.