View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Defence giant Rheinmetall suffers cyberattack by Black Basta ransomware gang

The attack from the Russian gang took place after the company announced it was in talks with Ukraine about building a new tank factory.

By Claudia Glover

The Black Basta ransomware gang has struck again, claiming automotive and defence manufacturer Rheinmetall as its latest victim. The company has confirmed the breach, which has seen screenshots of stolen data posted to Black Basta’s dark web blog.

Rheinmetall has confirmed Black Basta is behind a cyberattack on its infrastructure (Photo by SOPA Images/Getty Images)

The attack took place in April, at a time when the company revealed it could build a tank factory in Ukraine. Black Basta is thought to operate out of Russia and may have close ties to the government in Moscow.

Rheinmetall has over 28,000 employees and generated revenue of €6.4bn in 2022.

Rheinmetall cyberattack: Black Basta ransomware gang behind breach

Rheinmetall has confirmed that the Black Basta ransomware gang was behind a cyberattack perpetrated last month.

Screenshots posted to the gang’s dark web victim blog show sensitive data such as passport copies, purchase orders, non-disclosure agreements, letters of confidentiality and other corporate documents is in the hands of cybercriminals. The release of data suggests that negotiations between the cybercrime group and the company have fallen through, though it is not known if a ransom has been demanded or paid.

Tech Monitor has contacted Rheinmetall for more details of how the breach occurred, but a company spokesperson told Bleeping Computer: “Rheinmetall is continuing to work on resolving an IT attack by the ransomware group Black Basta. This was detected on 14 April 2023. It affects the Group’s civilian business.

The spokesperson also claimed that: “Due to the strictly separated IT infrastructure within the Group, Rheinmetall’s military business is not affected by the attack.”

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

Rheinmetall is in contact with the relevant authorities and has filed a criminal complaint with the Cologne public prosecutor’s office.

The attack took place in April after an announcement by the company that it was holding talks with Ukraine concerning the construction of a tank factory. “A Rheinmetall factory could be built in Ukraine at a cost of about €200m”, to turn out up to 400 Panther tanks a year, the company’s president Armin Papperger said.

Rheinmetall already provides Ukraine with defence hardware such as reconnaissance systems and ammunition. The company is a key manufacturer of guns on the Leopard tank, which is being supplied to Ukraine by several European nations.

Black Basta continues campaign against Western businesses

Surfacing in April 2022, the Russian speaking cybercrime gang appears to favour targeting Europe and the English-speaking world. 

Most recently, the ransomware group attacked global manufacturing giant ABB, in a breach which affected hundreds of the company’s devices. Cybercriminals attacked the company’s online infrastructure through its Windows Active Directory, ABB confirmed earlier this month. 

Black Basta hit 44 victims in 2022, according to a Trend Micro report. Last summer it claimed responsibility for an attack on the Knauf building supplies company, which severely hindered the business’s operations across Europe for several weeks.

The gang favours double extortion tactics, where a victimised company’s data will be lifted and encrypted so that the organisation can be bribed into communicating with the criminals and pressured into purchasing the decryption key.

In April, Black Basta posted its intentions to buy and monetise corporate network access for a share in the profits. The post, written in Russian, specified that it was looking for organisations based in the United States, Canada, United Kingdom, Australia, and New Zealand, according to a report from security company CyberReason.

Read more: BlackCat ransomware uses signed Microsoft kernel drivers to avoid detection

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.