Cyber Incident Victim: National Aerospace Laboratories
Date:
Nov 2023
Location:
India
Summary
A ransomware attack targeted India's National Aerospace Laboratories, compromising sensitive data including classified documents. The National Investigation Agency initiated an investigation into the incident as a cyberterrorist attack, attributing responsibility to the LockBit cybercrime group known for extorting victims through data theft and encryption. LockBit threatened to publish stolen information unless ransom demands were met, highlighting risks to critical infrastructure. The group, described as one of the world's most prolific ransomware-as-a-service operations, was later disrupted by an international law enforcement operation that seized its infrastructure and decryption keys.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On November 15, 2023, the National Aerospace Laboratories (NAL) in Bengaluru, India’s largest civilian aerospace research organization under the Council of Scientific and Industrial Research, experienced a ransomware attack. The LockBit cybercrime group, identified by investigators as one of the world’s most prolific ransomware-as-a-service operations, claimed responsibility for the breach. LockBit infiltrated NAL’s systems, exfiltrated sensitive data—including classified correspondence—and encrypted files, subsequently demanding an unspecified ransom payment under threat of public data release. The National Investigation Agency (NIA), India’s federal counterterrorism unit, registered a case to probe the incident as a potential act of cyberterrorism, citing the targeting of critical government infrastructure. NAL’s status as India’s sole civilian aerospace R&D laboratory heightened concerns over the compromise of strategic research data. The NIA’s specialized anti-cyberterrorism division, which previously assisted in investigating the 2022 All India Institute of Medical Sciences ransomware incident, led the inquiry.
LockBit, operational since 2019 under its earlier alias "ABCD," had globally victimized over 2,000 entities—including businesses, hospitals, and government agencies—extracting more than $120 million in ransom payments prior to its disruption. In February 2024, a coordinated international law enforcement operation involving agencies from the US, UK, France, Germany, and six other nations seized LockBit’s infrastructure, source code, and decryption keys, crippling its operations. The UK’s National Crime Agency declared the action had "locked out" the group, undermining its secrecy and credibility. The US Department of Justice emphasized LockBit’s designation as the world’s most active ransomware threat, with cumulative ransom demands exceeding hundreds of millions of dollars. The NAL attack exemplified LockBit’s persistent targeting of Indian critical infrastructure, aligning with broader patterns of ransomware extortion against high-value institutional targets globally. No public confirmation emerged regarding ransom payment or data leaks specific to the NAL breach as of the investigation’s disclosure.