Boeing, a prominent aerospace manufacturer and defense contractor, found itself targeted by the Lockbit ransomware group at the end of October. This cybercriminal organization claimed responsibility for infiltrating Boeing’s systems and asserted that it had obtained a substantial amount of sensitive data. The group threatened to disclose this information unless Boeing engaged with them before the initial deadline, initially set for November 2, 2023, at 13:25:39 UTC but later extended to November 10, 2023.
In early November 2023, Boeing officially acknowledged that its services division had fallen victim to a cyber attack. The incident specifically targeted components of the parts and distribution business operated by the global services division. Boeing promptly alerted law enforcement agencies and relevant regulatory authorities.
A statement released by Boeing emphasized ongoing collaboration with law enforcement and regulatory bodies. The aerospace giant disclosed that the cybercriminal group, identified as Lockbit with alleged Russian ties, had threatened to release sensitive data unless a ransom demand was met. Notably, by Wednesday evening, Boeing was conspicuously absent from Lockbit’s leak website.
Despite the threat, Boeing took a firm stance against paying the ransom. Consequently, the LockBit group leaked over 40GB of files from Boeing. An analysis by Bleeping Computer revealed that the majority of the published data comprised backups for various systems, with the latest documents dating back to October 22.
The method by which the threat actors breached Boeing remains unclear. Some experts speculate that the attackers may have exploited the ‘Citrix Bleed’ attack. In October, Citrix had urgently advised administrators to secure NetScaler ADC and Gateway appliances against the actively exploited CVE-2023-4966 vulnerability.
The vulnerability, tracked as CVE-2023-4966, was deemed critical by Citrix in a security bulletin published on October 10. Mandiant researchers observed its exploitation as a zero-day since late August. Threat actors utilized this vulnerability to hijack existing authenticated sessions, circumventing multifactor authentication and other robust authentication measures. The researchers also warned of persisting sessions even after deploying the update to mitigate CVE-2023-4966, with observed instances of session data theft prior to patch deployment being exploited by threat act