Cyber Incident Victim: Bombardier Inc.
Date:
Dec 2020
Location:
Costa Rica
Summary
A business jet manufacturer suffered a data breach when attackers exploited a zero-day vulnerability in a legacy third-party file-transfer application (Accellion FTA) to steal sensitive information. The Clop ransomware gang subsequently extorted the organization by leaking stolen data, including aircraft design schematics, flight test reports, and personal information of employees, customers, and suppliers. Approximately 130 employees in Costa Rica were directly impacted. Forensic analysis confirmed the breach was limited to the isolated file-transfer servers, with no compromise of core IT systems. The incident was part of a broader campaign targeting multiple organizations using the vulnerable Accellion software.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early February 2021, the Clop ransomware gang publicly posted stolen Bombardier data on their leak site, including airplane design schematics, parts diagrams, and flight test reports. This followed an intrusion exploiting a zero-day vulnerability in the Accellion FTA file-transfer application, which Bombardier used on isolated servers separate from its primary IT network. The breach occurred in December 2020, coinciding with widespread attacks targeting Accellion FTA devices globally. Bombardier confirmed the incident after BleepingComputer inquired about the leaked data, disclosing that attackers extracted personal and confidential information of employees, customers, and suppliers. Forensic analysis identified approximately 130 affected employees based in Costa Rica. The company initiated proactive notifications to potentially compromised external stakeholders, emphasizing that the breach was confined to the Accellion FTA environment and did not penetrate other operational systems.
Accellion FTA, a legacy secure file-sharing service, had been compromised since December 2020 through an unpatched vulnerability, enabling threat actors to exfiltrate data before Accellion released a security update on December 25. Clop began leaking data from multiple victims in February 2021, including Bombardier, Singtel, and Danaher, while other organizations like Kroger and the Reserve Bank of New Zealand confirmed breaches without public data leaks. Ransom demands were delivered via email to company employees rather than through on-system notes, diverging from typical ransomware deployment methods. Bombardier’s breach advisory did not specify whether data encryption or ransom payments occurred, focusing instead on the theft of sensitive information. The Clop gang’s direct outreach to BleepingComputer regarding their leak site postings highlighted their role in publicizing the attacks, though it remained unclear whether they executed the initial intrusions or collaborated with other threat actors. The incident underscored the risks of third-party application vulnerabilities, as Bombardier joined over a dozen organizations impacted by the coordinated Accellion FTA exploitation campaign.