Rheinmetall has revealed that a cyberattack it suffered in April 2023 cost the firm at least $10m. Conducted by the ransomware gang Black Basta, the breach in its civil unit led to the disclosure of reams of confidential data, including copies of passports, non-disclosure agreements and purchase orders. As a result, Rheinmetall was forced to spend an undisclosed sum on business recovery costs as it watched sales in certain units tank following the hack.
“The IT incident in the second quarter of 2023 also affected IT systems at the sides of Materials and Trade in Germany and abroad which initially resulted in a significant drop in sales,” reads Rheinmetall’s annual report for last year. Despite this, however, the firm claims to have recovered relatively quickly, with sales declining “by only ‑1% or €‑4 million year-on-year to €737 million.”
Rheinmetall possibly targeted because of support for Ukraine
Headquartered in Düsseldorf, Germany, Rheinmetall is a major German arms manufacturer and a key supplier of allied exports of military hardware to Ukraine. It is thought that the company was targeted by Black Basta in April 2023 because of its outspoken support for the embattled nation, with rumours circulating at the time that it was poised to build its own tank production facility in the country. Others speculated, however, that the hack could merely have been opportunistic, with Rheinmetall constituting a valuable target in a country where the gang routinely perpetrated cyberattacks.
“By taking action systematically, huge damage to Rheinmetall could be avoided,” read the report. “Large parts of the infrastructure were temporarily unavailable due to measures initiated immediately, although some systems were not at risk. For example, backup and business-critical systems were protected and not at risk. The systems affected or at risk were systematically re-established and equipped with additional security measures. Customers, service providers, and also public authorities were kept informed promptly and comprehensively throughout the entire duration of the re-establishment process.”
Black Basta was barely a year old when it attacked Rheinmetall’s civil unit. Founded in April 2022, the Russian-speaking ransomware gang is likely an offshoot of Conti, another cybercrime gang which disintegrated around that time. While Black Basta succeeded in leaking sensitive data from Rheinmetall’s civil unit however, a spokesperson told Tech Monitor at the time that, due to the “strictly separated IT infrastructure within the Group, Rheinmetall’s military business is not affected by the attack.”
Joint advisory on Black Basta says gang has hacked over 500 organisations
The firm’s chief financial officer, Dagmar Steinert, also told shareholders today that cyberattacks were becoming almost routine for Rheinmetall, adding that the firm was usually able to defend against them. This presumably also includes a DDoS attack against the company last month, which cybersecurity analysts attributed to the Russian hacktivist collective Killnet. A spokesperson for the company claimed that despite the group’s best efforts, Rheinmetall’s systems remained unaffected by the incident.
Black Basta, meanwhile, has continued to prove a potent cybersecurity threat. According to a joint advisory from the FBI and other US federal agencies, the gang’s ransomware compromised over 500 organisations globally between April 2022 and May 2024. Breached companies include automation specialist ABB, IT outsourcer Capita and building supplies company Knauf. Hope that the gang’s efforts might be blunted briefly rose in January when cybersecurity researchers created a decryptor that allowed victims of the gang to recover data stolen from November 2022 onwards. However, it emerged shortly afterwards that Black Basta had quickly patched the flaw in its malware allowing such recoveries to take place.
Content from our partners
