Boeing systems hit in reported Lockbit cyberattack

Aerospace and defense giant Boeing on Thursday confirmed that it had suffered a cyber incident affecting its parts and distribution business, and the infamous Lockbit ransomware group is reported to be behind the attack.

According to a Boeing spokesperson, the company is taking post-incident steps to rectify the damage, noting that the incident did not compromise aircraft systems or flight safety.

“We are actively investigating the incident and coordinating with law enforcement and regulatory authorities,” Boeing said. “We are notifying our customers and suppliers.”

An X (formerly Twitter) account for the VX Underground website, which bills itself as a distributor of malware samples, source code and research papers, said that Lockbit had added Boeing to its public “victims list.” VX Underground said that it had spoken to Lockbit’s “administrative staff,” who said that the group used a zero-day exploit to access Boing’s systems.

Boeing did not provide any technical information about the attack, nor any information about whether a ransom had been demanded or paid. However, a screenshot purportedly taken of the Lockbit leak site on the dark web and posted on X by VX Underground read in part, “A tremendous amount of sensitive data was exfiltrated and ready to be published if Boeing do not contact within the deadline!”

The Lockbit gang, according to a report from the US Cybersecurity and Infrastructure Security Agency, works on an affiliate model, using what amount to subcontractors to compromise target systems and plant the Lockbit ransomware software. CISA calls it “ransomware as a service,” and, due to variances in tactics and techniques among the various affiliates, the attacks can be difficult to defend against.

“Since January 2020, affiliates using LockBit have attacked organizations of varying sizes across an array of critical infrastructure sectors, including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation,” CISA wrote.

Lockbit was the most active global ransomware group in the world in 2022, according to CISA, which added that the group has functioned like an aggressive business in several ways, including making its ransomware tools simple to use, drumming up publicity via a series of stunts, and denigrating rival ransomware gangs in online forums.

Lockbit has performed roughly 1,700 ransomware attacks in the US since 2020, according to the FBI, and the gang is thought to have taken in about $91 million in ransom payments. The group also participates in a form of “double extortion,” CISA said, where it not only encrypts sensitive data, but steals it and threatens to publish it widely.