Cyber Incident Victim: Automatic Systems
Date:
Jun 2023
Location:
Belgium
Summary
A Bolloré subsidiary specializing in access control systems suffered a ransomware attack claimed by the ALPHV/BlackCat gang. The intrusion compromised servers and resulted in the theft of a significant volume of sensitive data. Exfiltrated information included confidential documents related to NATO, non-disclosure agreements with clients such as Alibaba and Thales, financial records, and personal identification details including copies of passports. The company engaged external cybersecurity experts and notified law enforcement following the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around June 3, 2023, Automatic Systems, a Belgium-based manufacturer of secure entrance control systems and a subsidiary of the French conglomerate Bolloré, suffered a cybersecurity intrusion. The company confirmed that threat actors targeted part of its servers. In response to the attack, Automatic Systems immediately implemented specific protection measures to halt the advance of the ransomware. The company engaged external cybercrime experts to support its internal IT teams, who worked around the clock to address the incident. Automatic Systems also stated its commitment to full transparency during the investigation and reported that it had contacted law enforcement authorities in Belgium.
The Russia-linked ALPHV/BlackCat ransomware gang claimed responsibility for the attack on June 12, 2023. The group posted on its dark web leak site, asserting it had stolen a significant quantity of critical data from Automatic Systems. To support their claim, the attackers posted over a hundred samples of the allegedly stolen data. The compromised information was described as including a wide range of sensitive documents, such as non-disclosure agreements (NDAs), copies of passports, personal information of the company’s partners and clients, and financial data. The gang’s post specifically highlighted the theft of confidential documents pertaining to Automatic Systems' cooperation with NATO and the procurement of equipment for military companies. Detailed schemes for the installation and use of such equipment were also listed among the stolen data.
The data samples published by ALPHV/BlackCat provided evidence of the breach's scope, implicating several high-profile Automatic Systems customers. Notably, the leaked samples included non-disclosure agreements between the victim company and the Chinese retailer Alibaba. Documents signed with the French defense contractor Thales were also displayed among the samples. The public exposure of this data indicated a significant compromise of business relationships and sensitive client information.
Automatic Systems is a specialist in producing vehicle, pedestrian, and passenger access control systems. Its product range includes rising barriers and electronic passport gates commonly used in airports. The company employs nearly 400 staff and is part of the larger Bolloré group, which reported revenues exceeding $22 billion the previous year. The nature of its business, providing physical security infrastructure to military and corporate entities, made the data breach particularly sensitive.
The ALPHV/BlackCat ransomware operation, first observed in 2021, is known for its use of the Rust programming language and operates on a ransomware-as-a-service (RaaS) model. According to an analysis by Microsoft, threat actors deploying this malware have affiliations with other prominent ransomware groups such as Conti, LockBit, and REvil. The FBI has linked money launderers for the ALPHV/BlackCat cartel to the Darkside and Blackmatter ransomware cartels, indicating a well-established network of operatives. The group was responsible for approximately 12 percent of all ransomware attacks in 2022 and had recently focused on professional service providers. In the weeks preceding the attack on Automatic Systems, the gang had claimed breaches against Mazars Group, an international audit and accounting firm, and Casepoint, a legal technology platform used by U.S. government agencies including the Department of Defense.
The primary impact of the incident was the exfiltration and public exposure of highly sensitive data belonging to Automatic Systems and its clients. The compromise of non-disclosure agreements, passport copies, and financial documents posed immediate risks of identity theft and fraud for affected individuals. For corporate and governmental clients like Thales, Alibaba, and NATO, the breach risked the exposure of proprietary information, procurement details, and technical schematics for security equipment. The public linking of these organizations to a specific security hardware provider through a ransomware leak could also have potential operational security implications. The company’s response involved a concerted effort to contain the attack through immediate protective measures and the engagement of external cybersecurity experts. Law enforcement was notified as part of the standard response protocol to a cybercrime incident. The full extent of any operational disruption to Automatic Systems' manufacturing or service capabilities was not detailed in the public statements.