View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Rheinmetall reveals last year’s hack by Black Basta cost the firm $10m

Though hit with business recovery costs and a dip in sales as a result of the breach, the cyberattack only impacted Rheinmetall’s civilian unit and not its military arm. 

By Greg Noone

Rheinmetall has revealed that a cyberattack it suffered in April 2023 cost the firm at least $10m. Conducted by the ransomware gang Black Basta, the breach in its civil unit led to the disclosure of reams of confidential data, including copies of passports, non-disclosure agreements and purchase orders. As a result, Rheinmetall was forced to spend an undisclosed sum on business recovery costs as it watched sales in certain units tank following the hack.

“The IT incident in the second quarter of 2023 also affected IT systems at the sides of Materials and Trade in Germany and abroad which initially resulted in a significant drop in sales,” reads Rheinmetall’s annual report for last year. Despite this, however, the firm claims to have recovered relatively quickly, with sales declining “by only ‑1% or €‑4 million year-on-year to €737 million.”

A Leopard tank, manufactured by Rheinmetall. Used to illustrate an article about the firm's breach by Black Basta ransomware in April 2023.
A Leopard tank, manufactured by Rheinmetall. The German defence giant has conceded that the breach of its civil unit last year by Black Basta cost the company some $10m, a mixture of business recovery expenses and curtailed sales. (Photo by Shutterstock)

Rheinmetall possibly targeted because of support for Ukraine

Headquartered in Düsseldorf, Germany, Rheinmetall is a major German arms manufacturer and a key supplier of allied exports of military hardware to Ukraine. It is thought that the company was targeted by Black Basta in April 2023 because of its outspoken support for the embattled nation, with rumours circulating at the time that it was poised to build its own tank production facility in the country. Others speculated, however, that the hack could merely have been opportunistic, with Rheinmetall constituting a valuable target in a country where the gang routinely perpetrated cyberattacks.

“By taking action systematically, huge damage to Rheinmetall could be avoided,” read the report. “Large parts of the infrastructure were temporarily unavailable due to measures initiated immediately, although some systems were not at risk. For example, backup and business-critical systems were protected and not at risk. The systems affected or at risk were systematically re-established and equipped with additional security measures. Customers, service providers, and also public authorities were kept informed promptly and comprehensively throughout the entire duration of the re-establishment process.”

Black Basta was barely a year old when it attacked Rheinmetall’s civil unit. Founded in April 2022, the Russian-speaking ransomware gang is likely an offshoot of Conti, another cybercrime gang which disintegrated around that time. While Black Basta succeeded in leaking sensitive data from Rheinmetall’s civil unit however, a spokesperson told Tech Monitor at the time that, due to the “strictly separated IT infrastructure within the Group, Rheinmetall’s military business is not affected by the attack.”

Joint advisory on Black Basta says gang has hacked over 500 organisations

The firm’s chief financial officer, Dagmar Steinert, also told shareholders today that cyberattacks were becoming almost routine for Rheinmetall, adding that the firm was usually able to defend against them. This presumably also includes a DDoS attack against the company last month, which cybersecurity analysts attributed to the Russian hacktivist collective Killnet. A spokesperson for the company claimed that despite the group’s best efforts, Rheinmetall’s systems remained unaffected by the incident.

Black Basta, meanwhile, has continued to prove a potent cybersecurity threat. According to a joint advisory from the FBI and other US federal agencies, the gang’s ransomware compromised over 500 organisations globally between April 2022 and May 2024. Breached companies include automation specialist ABB, IT outsourcer Capita and building supplies company Knauf. Hope that the gang’s efforts might be blunted briefly rose in January when cybersecurity researchers created a decryptor that allowed victims of the gang to recover data stolen from November 2022 onwards. However, it emerged shortly afterwards that Black Basta had quickly patched the flaw in its malware allowing such recoveries to take place. 

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

Read more: Zscaler calls investigators in amid breach speculation

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.