The Black Basta ransomware gang has struck again, claiming automotive and defence manufacturer Rheinmetall as its latest victim. The company has confirmed the breach, which has seen screenshots of stolen data posted to Black Basta’s dark web blog.

Rheinmetall has confirmed Black Basta is behind a cyberattack on its infrastructure (Photo by SOPA Images/Getty Images)

The attack took place in April, at a time when the company revealed it could build a tank factory in Ukraine. Black Basta is thought to operate out of Russia and may have close ties to the government in Moscow.

Rheinmetall has over 28,000 employees and generated revenue of €6.4bn in 2022.

Rheinmetall cyberattack: Black Basta ransomware gang behind breach

Rheinmetall has confirmed that the Black Basta ransomware gang was behind a cyberattack perpetrated last month.

Screenshots posted to the gang’s dark web victim blog show sensitive data such as passport copies, purchase orders, non-disclosure agreements, letters of confidentiality and other corporate documents is in the hands of cybercriminals. The release of data suggests that negotiations between the cybercrime group and the company have fallen through, though it is not known if a ransom has been demanded or paid.

Tech Monitor has contacted Rheinmetall for more details of how the breach occurred, but a company spokesperson told Bleeping Computer: “Rheinmetall is continuing to work on resolving an IT attack by the ransomware group Black Basta. This was detected on 14 April 2023. It affects the Group’s civilian business.

The spokesperson also claimed that: “Due to the strictly separated IT infrastructure within the Group, Rheinmetall’s military business is not affected by the attack.”

Rheinmetall is in contact with the relevant authorities and has filed a criminal complaint with the Cologne public prosecutor’s office.

The attack took place in April after an announcement by the company that it was holding talks with Ukraine concerning the construction of a tank factory. “A Rheinmetall factory could be built in Ukraine at a cost of about €200m”, to turn out up to 400 Panther tanks a year, the company’s president Armin Papperger said.

Rheinmetall already provides Ukraine with defence hardware such as reconnaissance systems and ammunition. The company is a key manufacturer of guns on the Leopard tank, which is being supplied to Ukraine by several European nations.

Black Basta continues campaign against Western businesses

Surfacing in April 2022, the Russian speaking cybercrime gang appears to favour targeting Europe and the English-speaking world. 

Most recently, the ransomware group attacked global manufacturing giant ABB, in a breach which affected hundreds of the company’s devices. Cybercriminals attacked the company’s online infrastructure through its Windows Active Directory, ABB confirmed earlier this month. 

Black Basta hit 44 victims in 2022, according to a Trend Micro report. Last summer it claimed responsibility for an attack on the Knauf building supplies company, which severely hindered the business’s operations across Europe for several weeks.

The gang favours double extortion tactics, where a victimised company’s data will be lifted and encrypted so that the organisation can be bribed into communicating with the criminals and pressured into purchasing the decryption key.

In April, Black Basta posted its intentions to buy and monetise corporate network access for a share in the profits. The post, written in Russian, specified that it was looking for organisations based in the United States, Canada, United Kingdom, Australia, and New Zealand, according to a report from security company CyberReason.

Read more: BlackCat ransomware uses signed Microsoft kernel drivers to avoid detection