Leonardo.com: Aerospace & Defense Giant Allegedly Targeted by ThreeAM Ransomware Group

Leonardo S.p.A., a global leader in aerospace, defense, and security solutions, has allegedly fallen victim to a ransomware attack by the cybercriminal group known as ThreeAM. A recent leak posted on ThreeAM’s dark web data leak site suggests that the attackers have begun publishing stolen data from Leonardo, with a marker indicating that 1% of the files may be published.

The Attack on Leonardo

The ThreeAM ransomware group, a relatively new but increasingly active cybercriminal organization, listed leonardo.com on its darknet leak site, indicating that the company’s data had been compromised. The post, which appears alongside leaks from other organizations, includes a brief description of Leonardo and states that the publication of the stolen data is underway.

While the extent of the breach remains unclear, the publication of any data could pose significant security concerns. Leonardo, headquartered in Rome, Italy, is a major supplier of military and aerospace technologies to governments and private entities worldwide. A data leak from the company could potentially expose sensitive intellectual property, classified contracts, or confidential defense-related information.

Potential Implications

Given Leonardo’s strategic importance in defense and security, any unauthorized disclosure of its data could have far-reaching consequences. The exposure of sensitive files could:

• Compromise national security by revealing classified projects and technologies.
• Lead to industrial espionage, benefiting competitors or hostile actors.
• Impact ongoing and future defense contracts with NATO and other international partners.

Leonardo’s Response

As of now, Leonardo has not officially confirmed or denied the attack. Organizations with ties to Leonardo are also advised to assess their cybersecurity posture, as attackers may leverage stolen credentials or trade secrets for further exploitation.

Who is ThreeAM?

The ThreeAM ransomware group, also known as 3am, has been active in targeting high-profile organizations, particularly those in critical infrastructure sectors. Unlike more established ransomware operations such as LockBit or BlackCat, ThreeAM has gained notoriety for its stealthy tactics and sophisticated encryption techniques.

Security researchers note that the group often exfiltrates sensitive data before encrypting victims' files and wipes Volume Shadow copies to make recovery more difficult for victims. Furthermore, it appears that 3AM was initially developed as a 'backup' for the notorious LockBit ransomware, using the threat of public leaks to pressure organizations into paying ransom demands. The inclusion of Leonardo on their leak site suggests that ransom negotiations may have failed, prompting the attackers to begin releasing compromised data.

The alleged attack on Leonardo.com by the ThreeAM ransomware group underscores the persistent and evolving cyber threats facing global defense and aerospace organizations. As the situation develops, stakeholders will be watching closely to determine the full extent of the damage and the potential implications for international security.

For now, all eyes remain on Leonardo’s next steps in addressing this cybersecurity crisis.