Cyber Incident Victim: Gedia Automotive Group
Date:
Jan 2020
Location:
Germany
Summary
The Gedia Automotive Group suffered a disruptive ransomware attack by the Sodinokibi (REvil) criminal group, forcing an immediate shutdown of its central IT infrastructure to prevent wider damage, which halted administrative operations and sent employees home. Attackers exfiltrated over 50GB of sensitive data—including blueprints, employee details, and client information—threatening to publish it unless a ransom was paid, while also leaking proof-of-compromise data like Active Directory credentials extracted via the ADRecon tool. The incident had extensive operational consequences across the company’s international facilities due to interconnected systems, requiring external security assistance and projected weeks-to-months for full recovery.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On or around January 20, 2020, Gedia Automotive Group, a 100-year-old German automotive parts manufacturer with headquarters in Attendorn and operations in seven countries, suffered a massive cyber attack attributed to the Sodinokibi (REvil) ransomware group. The attackers infiltrated Gedia’s network, encrypted files across all machines, and exfiltrated over 50GB of sensitive data, including technical blueprints, employee details, and client information. Following discovery of the breach, Gedia’s management immediately ordered a full shutdown of its central IT infrastructure to prevent complete system collapse. This action severed connectivity across all global facilities, including sites in Spain, Poland, Hungary, and the United States, as they relied on the centralized network. Administrative functions were paralyzed, forcing nearly all headquarters staff in Attendorn to cease work under flextime arrangements.
The Sodinokibi group publicly claimed responsibility on January 22, 2020, via posts on two Russian-speaking dark web forums under the alias “UNKN.” They threatened to sell or publicly release Gedia’s stolen data within seven days unless a ransom was paid, providing a scanned extract of the company’s Microsoft Active Directory as proof of compromise. Forensic analysis confirmed attackers used ADRecon—a tool previously linked to Sodinokibi operations—to harvest credentials from a Windows Server 2012 machine within Gedia’s network. The attack’s origin was traced to Eastern Europe, consistent with the group’s known infrastructure. Gedia engaged external cybersecurity experts to assess the damage and initiate recovery, estimating full system restoration would require weeks or months. Operational disruptions impacted production and supply chain activities group-wide, with long-term consequences for business continuity. Concurrently, the attackers intensified pressure by leaking partial data from another victim, Artech Information Systems, demonstrating their escalated “attack and brag” strategy to coerce ransom payments.