Cyber Incident Victim: Kopter
Date:
Dec 2020
Location:
Switzerland
Summary
A Switzerland-based helicopter manufacturer suffered a ransomware attack where the LockBit gang breached its network by exploiting a VPN appliance with weak password security and lacking two-factor authentication. After the company refused to negotiate despite accessing the ransom page, the attackers published internal data on their dark web leak site as part of coercive tactics common among ransomware groups. The incident resulted in unauthorized data disclosure, though the organization did not publicly acknowledge the breach or provide details regarding impacted systems or operational disruption. The attackers claimed responsibility for both the intrusion and subsequent data leak, leveraging typical extortion methods to pressure payment.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On December 4, 2020, ransomware operators from the LockBit group publicly disclosed data stolen from Swiss helicopter manufacturer Kopter after the company refused to engage in ransom negotiations. The attackers initially compromised Kopter's internal network by exploiting a VPN appliance configured with a weak password and lacking two-factor authentication. Following the breach, LockBit exfiltrated corporate data and attempted to extort payment by threatening to publish the stolen files. The gang claimed a Kopter representative accessed their ransom negotiation portal but did not respond to communications. When no payment was forthcoming, LockBit executed its threat by publishing portions of Kopter's data on its dark web leak site, a common tactic among ransomware groups to pressure victims into paying.
The incident occurred after Kopter's January 2020 acquisition by Italian aerospace conglomerate Leonardo, though neither entity publicly acknowledged the breach. LockBit's leak site publication exposed internal corporate data, though specific file types or operational impacts were not detailed in available reports. No evidence indicated operational disruption to Kopter's manufacturing activities, but the unauthorized data exposure created reputational and potential intellectual property risks. The company maintained silence despite media outreach attempts, leaving mitigation efforts and forensic details undisclosed. The attackers' exploitation of inadequate VPN security highlighted vulnerabilities in Kopter's network perimeter defenses at the time of intrusion.