Cyber Incident Victim: A10 Networks
Date:
Jan 2023
Location:
United States of America
Summary
A10 Networks experienced a cybersecurity incident involving unauthorized access to its corporate IT systems by the Play ransomware group, who exfiltrated data from internal HR, finance, and legal shared drives before deploying encryption malware on select servers and workstations. The intrusion was contained within hours, with forensic analysis indicating no compromise of customer-facing technical documents, products, or solutions. The attackers later threatened to leak stolen confidential files, including employee and client data, though the company maintained the breach would not materially impact operations. Law enforcement and external experts assisted in the investigation and containment efforts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On January 23, 2023, A10 Networks experienced a cybersecurity incident involving unauthorized access to its corporate IT storage systems and devices. The attack lasted several hours before the company’s IT team halted the intrusion, activating incident response protocols immediately upon detection. Forensic investigations conducted with CrowdStrike and U.S. authorities confirmed the threat actors first exfiltrated data from internal shared drives supporting human resources, finance, and legal functions. Subsequently, the attackers deployed malware to encrypt servers and workstations within the network, consistent with ransomware operations. A10 Networks contained the incident by January 23, based on network monitoring showing no further malicious activity beyond that date. The investigation revealed no evidence that customer-facing technical documents, engineering data, or support tickets were compromised. The company emphasized that its products and customer solutions remained unaffected throughout the event. By February 7, A10 Networks publicly disclosed the breach, noting ongoing recovery efforts and collaboration with forensic experts to assess the full scope.
The Play ransomware gang claimed responsibility for the attack, listing A10 Networks on its extortion site on February 9 and threatening to leak stolen data unless demands were met. The group alleged possession of confidential files, including technical documentation, employee and client records, legal agreements, and personal information. A10 Networks addressed these claims in an 8-K filing, reiterating that only corporate function data—not operational systems or customer infrastructure—was compromised. The company maintained the incident would not materially impact its business operations. Play ransomware, known for exploiting Microsoft Exchange vulnerabilities to gain initial access, had previously targeted high-profile entities such as the city of Antwerp, Arnold Clark, and Rackspace. A10 Networks continued working with law enforcement and third-party experts to restore systems and investigate the data exfiltration’s extent, while monitoring for potential leaks of the stolen information.