Cyber Incident Victim: Dassault Aviation
Date:
Dec 2020
Location:
France
Summary
A ransomware group infiltrated Dassault Falcon Jet's systems for over six months, exploiting a specific vulnerability to gain access before encrypting critical servers and file shares. The attackers exfiltrated sensitive data, including development documentation for new aircraft models, and threatened to auction or publicly release the information unless contacted via their secure channel. Despite the group's public claims and direct outreach, the company initially provided limited acknowledgment of the incident, with spokespersons denying awareness while communications leadership remained unresponsive to inquiries. The perpetrators emphasized the robustness of the victim's security perimeter but asserted it was insufficient to prevent their intrusion.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On December 10, 2020, ransomware operators Ragnar Locker privately disclosed to journalists that they had compromised Dassault Falcon Jet Corp.'s systems for over six months prior to deploying file-encrypting malware on the morning of December 7. The attackers claimed initial access through exploitation of a vulnerable system (referenced as "Shitrix," likely a corruption of "Citrix") identified via specialized search engine Onyphe in late March 2020. Despite acknowledging the victim's "very robust security perimeter," the operators successfully encrypted all critical servers and file shares. Ragnar Locker operatives privately threatened to release sensitive data unless Dassault engaged in negotiations, specifically warning that continued corporate silence would result in public exposure of collected information. The group later published a public extortion notice on their website demanding direct communication via secured live chat, claiming possession of sensitive development documentation for new Falcon jets including the recently unveiled Falcon 6X model.
Dassault Falcon Jet Corp.'s communications director confirmed the incident did not involve parent company Dassault Aviation, redirecting media inquiries. Corporate spokespersons initially denied awareness of any cybersecurity incident when contacted on December 10, asserting normal email and website functionality while referring questions to unresponsive communications leadership. Ragnar Locker escalated threats by announcing plans to auction proprietary aircraft development documents through their leak site if negotiations failed, explicitly referencing Falcon 6X technical data. The attackers emphasized their prolonged network presence enabled extensive data collection, framing potential disclosure as inevitable without compliance. No containment measures, forensic findings, or operational impacts beyond encrypted systems were publicly confirmed by Dassault Falcon Jet Corp. representatives during the initial disclosure period.