Cyber Incident Victim: Gunnebo
Date:
Mar 2020
Location:
Sweden
Summary
A Swedish multinational security firm experienced a network breach where hackers obtained access via stolen Remote Desktop Protocol credentials with an insecure password, subsequently selling this access to a ransomware group. The company prevented widespread ransomware deployment but later confirmed attackers exfiltrated and publicly leaked tens of thousands of sensitive documents, including client security blueprints such as bank vault schematics and surveillance system layouts. Despite the CEO downplaying the sensitivity of certain exposed data like camera placements, the attackers published the stolen files after the organization refused ransom demands. The incident highlighted vulnerabilities in the firm’s cybersecurity practices amid broader trends targeting physical security providers lacking robust IT defenses.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In March 2020, KrebsOnSecurity alerted Gunnebo Group after receiving evidence from cyber intelligence firm Hold Security that hackers had compromised the company’s network. The breach involved stolen credentials for a Remote Desktop Protocol (RDP) account set up by an employee, with the weak password "password01," which were sold to a ransomware-focused criminal group. Gunnebo, a Swedish multinational providing physical security systems for banks, government agencies, airports, and nuclear facilities, initially reported no significant operational disruption. Five months later, in August 2020, the company disclosed a cyberattack targeting its IT systems, forcing internal server shutdowns. Gunnebo claimed its rapid response contained the ransomware deployment, preventing widespread encryption and minimizing lasting impacts. However, the company did not confirm whether the March RDP compromise directly enabled the August incident.
By late September 2020, hackers published at least 38,000 stolen documents on a public server, including sensitive schematics of client bank vaults, surveillance system layouts, and security camera placements. Swedish news agency Dagens Nyheter confirmed the leak, though the extent of access to the data remained unknown. CEO Stefan Syrén stated Gunnebo refused ransom demands to suppress the documents and downplayed the sensitivity of the blueprints, arguing visible camera placements reduced their confidentiality. An internal account manager, Rasmus Jansson, acknowledged relaying the March RDP credentials to IT staff but resigned in August without clarifying Gunnebo’s mitigation actions. The incident exposed systemic security weaknesses, including poor credential hygiene and delayed breach containment, while highlighting ransomware groups’ tactics of exfiltrating data prior to encryption attempts for dual extortion leverage.