Cyber Incident Victim: Védelmi Beszerzési Ügynökséget
Date:
Nov 2024
Location:
Hungary
Summary
A ransomware attack targeted a Hungarian state agency responsible for military and law enforcement procurement, with the Inc. Ransomware group encrypting files and demanding a $5 million ransom to prevent public release. Sensitive data, including financial reports, internal emails, procurement lists, organizational details, and a document suspending future procurement procedures, was exfiltrated and partially leaked publicly. The attackers gained broad access to internal systems, though government officials claimed no military structural data was compromised and downplayed the sensitivity of the leaked information. The incident prompted a criminal investigation, with authorities acknowledging the breach but emphasizing ongoing military procurement activities despite references to procurement suspensions in leaked documents.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around October 2024, the Hungarian Defense Procurement Agency (Védelmi Beszerzési Ügynökség, VBÜ), responsible for military and law enforcement procurement, suffered a ransomware attack by the Inc. Ransomware group, an international hacker collective known for targeting government entities. The attackers encrypted the agency’s files and demanded a $5 million ransom for decryption, threatening to publicly release sensitive data if unpaid. Evidence suggests the breach occurred in October, with the group publishing screenshots of stolen documents on November 6 via their public-facing website, making the data accessible without specialized dark web tools. Compromised materials included financial reports, defense organizational details, non-public updates on defense and military development programs, procurement lists, executive directives, internal emails, employee reward records, and internal audit documents. A particularly notable leaked document was a "URGENT!" directive from the head of the Hungarian Defense Forces Logistics Support Command (MH LTP) suspending all procurement procedures not yet under contractual obligation for 2025 due to budgetary constraints. Cybersecurity expert Ferenc Frész highlighted this document in his initial Facebook post about the breach on November 13, linking it to broader debates about Hungary’s defense spending.
The VBÜ, established in December 2019 to centralize defense and security procurement, confirmed the incident through the Hungarian Ministry of Defense, which stated a criminal report had been filed and an investigation was ongoing but declined further details, asserting the agency "does not handle military structural data." The VBÜ website remained operational with no visible signs of the attack, though an October mid-month service disruption notice coincided with the suspected breach timeline. At a subsequent government press briefing, Minister Gergely Gulyás claimed authorities only learned of the incident on November 14 and downplayed its severity, stating leaked data included encrypted procurement information but no "truly sensitive" military structural details. He also denied any blanket military procurement halt, clarifying that Hungary allocates 2% of GDP to defense and that the suspension referenced in the leaked MH LTP document likely applied only to limited areas. The incident highlighted systemic vulnerabilities, as military agencies like VBÜ operate outside EU NIS2 cybersecurity regulations and the oversight of Hungary’s National Cybersecurity Institute, relying instead on autonomous military intelligence structures criticized internally for excessive secrecy.