Cyber Incident Victim: Midea Group
Date:
Sep 2022
Location:
China
Summary
The REvil ransomware group resurfaced claiming a breach of Midea Group, a major Chinese appliance manufacturer, posting screenshots of allegedly stolen data including an 11.7 GB 'Target Properties' folder and 373 GB of additional information. The attackers threatened to sell financial data and publish proprietary materials such as product blueprints, firmware sources, and version control repositories. REvil, previously linked to high-impact attacks against critical infrastructure entities, had been disrupted by law enforcement months earlier, raising questions about the authenticity of its resurgence. The group's leak site indicated possession of extensive intellectual property and internal systems data from the multinational corporation, though victim confirmation remained unavailable at the time of reporting.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around September 1, 2022, the REvil ransomware group publicly claimed responsibility for a cyberattack targeting Midea Group, a major Chinese electrical appliance manufacturer ranked 245th on the Fortune 500 list with over 150,000 employees, 200 subsidiaries, and annual revenue exceeding $53 billion. REvil announced the breach through its dedicated leak site, displaying screenshots purportedly evidencing unauthorized access to Midea's systems. One screenshot depicted a folder labeled 'Target Properties' containing 11.7 GB of data, while another showed a separate folder holding 373 GB of information. The group explicitly stated it had exfiltrated data from Midea's product lifecycle management (PLM) systems, including blueprints, firmware source code, and financial records, additionally claiming possession of source code repositories from Git and SVN systems. REvil threatened imminent publication of this data unless unspecified demands were met, characterizing the stolen materials as ready for sale.
This incident marked a resurgence of REvil, a group previously linked to high-impact attacks against meat supplier JBS and software firm Kaseya before Russian authorities reported dismantling its operations in January 2022 through arrests and asset seizures. The attack on Midea occurred despite the FSB's earlier confiscation of 426 million roubles, $600,000, 500,000 euros, and luxury vehicles from alleged REvil affiliates. Cybersecurity researchers acknowledged observing REvil-associated tactics in recent attacks but could not conclusively determine whether the original group had reconstituted or if copycat actors were leveraging its branding. Midea Group did not publicly acknowledge the breach or provide details about compromised systems, containment measures, or operational impacts when contacted by media outlets prior to publication. The absence of confirmed data disclosures beyond REvil's initial claims left the full scope of data exposure and financial consequences unverified at the time of reporting.