Cyber Incident Victim: Fabricaciones Militares
Date:
Nov 2025
Location:
Argentina
Summary
Fabricaciones Militares suffered a ransomware attack carried out by the group MONTI, which encrypted systems and exfiltrated over 300 gigabytes of data, including plans for next‑generation weapons such as upgrades to the TAM 2IP main battle tank and the development of a CH‑14 helicopter. The breach occurred while the state‑owned defense manufacturer is being restructured into a public limited company and faces possible privatization, leaving more than a thousand workers uncertain about their future. Specialized media first disclosed the incident, noting the group’s dark‑web taunts about insufficient cooperation and suggesting negotiations for data recovery, while an Interpol alert highlighted rising ransomware interest in defense contractors in neutral countries.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Specialized media outlets FalconFeeds.io and Cyber Press were the first to reveal that Fabricaciones Militares, a state‑owned Argentine defense manufacturer, had suffered a ransomware attack. The group identifying itself as MONTI claimed responsibility for the intrusion and announced the exfiltration of more than 300 gigabytes of data. According to the reports, the stolen information includes sensitive material such as plans for cutting‑edge weapons projects. Among the disclosed plans are the upgrade of the TAM 2IP main battle tank and the development of a CH‑14 helicopter. The attack occurred while Fabricaciones Militares is supporting the Villa María Military Powder and Explosives Factory, which depends on its production capabilities. The company is simultaneously undergoing a transition to become a public limited company amid the government’s stated intention to privatize it. MONTI later posted on its dark‑web portal mocking the management’s “insufficient cooperation,” indicating that negotiations for the return of the stolen data may be underway.
The timing of the breach coincides with an Interpol alert issued in 2024 that warned of increasing ransomware interest in defense contractors situated in geopolitically neutral countries. This suggests that the cyberattack may have been planned and executed by a group with significant experience and resources. Beyond the immediate data loss, the incident unfolds against a backdrop of institutional change: more than a thousand workers face uncertainty after the auction of equipment and vehicles from Fabricaciones Militares, with privatization expected to involve firms linked to NATO and the United States that have interests in ammunition and explosives manufacturing. The official response has been characterized by silence, with no public statements from authorities regarding the breach or any containment measures. This event follows a series of cyber incidents at the end of 2024, including the massive hacking of the “Mi Argentina” platform and roughly twenty other government sites, which highlighted existing weaknesses in public‑sector cybersecurity. Together, these factors illustrate how the ransomware attack on Fabricaciones Militares intersects with broader operational, economic, and security challenges facing the Argentine defense sector.