Cyber Incident Victim: Thales
Date:
Oct 2022
Location:
France
Summary
The LockBit ransomware group claimed to have stolen data from French defense firm Thales and threatened its release, prompting the company to investigate. Thales denied any intrusion into its systems or receipt of a ransom demand, stating its cybersecurity experts found no evidence of compromise while continuing to monitor the situation. LockBit, a prolific ransomware operation linked to numerous attacks including disruptions to healthcare services, had recently intensified its activities with an updated platform and accounted for a significant portion of industrial ransomware incidents during the relevant period.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On October 30, 2022, French defense and technology firm Thales publicly denied claims by the LockBit ransomware group that it had compromised the company’s systems. The LockBit group announced plans to release stolen Thales data on November 7 via its dedicated leak site, prompting Thales to investigate. A company spokesperson confirmed awareness of LockBit’s leak site posting but stated cybersecurity experts had identified no evidence of system intrusions, data exfiltration, or operational impacts. Thales emphasized it received no direct ransom demand or authenticated communication from the attackers. The company maintained its information systems showed no traces of compromise and activated dedicated security teams to monitor the situation. Thales reiterated data protection as its highest priority, with experts systematically investigating the allegations while maintaining vigilance for potential data releases.
LockBit, a ransomware-as-a-service operation active since 2019, had significantly escalated its activities prior to the Thales incident. The group launched LockBit 3.0 in mid-2022, becoming the most prolific ransomware operation after Conti’s decline. Cybersecurity firm Dragos attributed approximately one-third of all Q2 2022 ransomware attacks on industrial systems to LockBit. The group claimed at least 68 victims in August 2022 alone, including a disruptive attack on a Paris-area hospital that crippled medical imaging, patient admissions, and critical services. Researchers had linked over 1,029 attacks to LockBit since its inception, with its operational tempo accelerating after the 2021 release of LockBit 2.0. Thales continued monitoring LockBit’s leak site for any data publications but reported no confirmed breaches or data exposures related to the threat as of the initial statement.