Cyber Incident Victim: ADIF
Date:
Jul 2020
Location:
Spain
Summary
A Spanish state-owned railway infrastructure manager was targeted by REvil ransomware operators, who claimed to exfiltrate 800GB of sensitive data including contracts, customer information, and internal reports, threatening public release unless ransom demands were met. The organization confirmed the attack but stated its security measures promptly contained the incident, ensuring no operational disruption to critical services. Cybersecurity researchers verified the breach involved confidential documents such as property records and project plans, while REvil simultaneously executed another high-profile attack on a major Argentinian telecom provider during the same period. The victim emphasized cybersecurity as a foundational priority despite the compromise.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On July 24, 2020, Spanish state-owned railway infrastructure manager Administrador de Infraestructuras Ferroviarias (ADIF) confirmed it suffered a ransomware attack attributed to the REvil (also known as Sodinokibi) ransomware group. The attack targeted ADIF, an entity under Spain's Ministry of Development responsible for managing railway infrastructure with approximately 13,000 employees and $8 billion in annual revenue. REvil operators claimed to have exfiltrated 800GB of sensitive data prior to deploying ransomware, including internal correspondence, contractual documents, and operational records. As proof of compromise, the threat actors publicly posted samples of stolen files. Security firm Cyble corroborated the breach, identifying additional compromised materials such as high-speed hiring committee contracts, property records, field work reports, project action plans, and customer-related documents. ADIF stated its internal security teams immediately contained the incident, emphasizing that critical railway infrastructure remained unaffected and all services continued normal operations throughout the event.
The attackers issued a ransom demand with the threat of publishing the full cache of stolen data if payment was not made, though the specific ransom amount was undisclosed in available reports. Analysis by Cyble's research team indicated the exfiltrated data could expose sensitive procurement, operational, and customer information. Concurrently, REvil targeted Telecom Argentina during the same timeframe, infecting approximately 18,000 systems and demanding a $7.5 million ransom, demonstrating the group's coordinated operations against high-value targets. ADIF maintained public assurances regarding service continuity and described cybersecurity as a foundational component of its security strategy, though no details regarding data recovery processes or forensic investigations were disclosed. The incident highlighted vulnerabilities in critical transportation sector entities despite organizational assertions of robust security postures.