After Boeing declines to pay up, ransomware group leaks 45 GB of data

As someone who works in the defense industry, I can assure you that 45 GB of unencrypted emails is next to worthless from a commercial standpoint and a total non-event from a national security standpoint. This is probably more of a threat to individual employees than it is to anybody else.<p>To put it another way, if this data had value, the ransomware group wouldn&#x27;t be leaking it for free.

For an external party, having access to the 45 GB is the easy part. Now, you will need to create a company and supplier base the size of Boeing to make any use of this :-)

My memory is not the greatest and simple Google searches are not helping right now.<p>Have there ever been massive problems from one of these leaks for the targeted company?<p>I seem to remember quite a lof of similar leaks over the past two years where the market and public shrug it off.<p>Clearly 45gig is a lot. I would think if there was a major horrible thing to find that Boeing would have paid the ransom (and told no one).<p>Will it have any real negative consequences for Boeing?<p>It is a black mark against them that they were vulnerable. I guess it is favorable point for many that they didn&#x27;t pay.

Didn&#x27;t a ransomware gang just renege on a deal and release the data anyway. Seems like they are killing their own business model. If company X cannot depend on the gang delivering why pay in the first place. Boeing will have to pay for any fallout form the data breach - why have the added expense of paying the criminals for the privilege?

Is there anything &quot;useful&quot; in this dump?<p>The article mentions citrix and emails, but that could be anything

The US should make it illegal to pay ransom, with a penalty of prison for anyone paying a ransom or authorizing payment.<p>The purpose of the law is that now ransomware gangs will be less likely to target US companies because companies are unlikely to risk paying them.

I wonder if this counts as an ITAR violation on Boeing&#x27;s part.

The government should just make it illegal for companies to pay ransomware groups. There, now the ransomware business model evaporates and companies have to actually focus on security rather than hoping they can pay their way out of a potential problem. It’s short-term pain for society in exchange for a better long-term solution.

Being a Russian-linked cyber gang, anything sensitive in there should be treated as public information now anyway. Why bother paying then?

Out of curiosity how do you guys mentally interpret the data size when reading about a hack&#x2F;leak story? 45GB? Do you think 10s of millions of text files? A few DVD rips? a server backup?<p>It seems so useless but is always portrayed as the &quot;wow look at that number!&quot; part of any leak&#x2F;hack story

45GB of data could be like a dozen employees&#x27; or less Outlook PST files. For this to be astounding we would need to know the quality of the data. Otherwise it is a bunch of hype and hoopla.

I struggle to see how this business model would work in the first place. They pay you and you pinky swear not to release it? All you are doing by negotiating is to buy the victim time to harden their systems.<p>This sounds liked a failed ransomware attack. They encrypted the systems - Boeing says &quot;no thank you, we have backups&quot;. There were no valuable zero-days to sell to GRU, so give a last ditch offer to try to salvage something.

A writer contacted me about my thoughts (unrelated and separate from this event) about how the disclosure of vulnerabilities and methods of hacking (of all types and in almost all situations) aids bad actors vs. helps companies protect their systems (by knowing vulnerabilities that are often so obscure they would reasonably never be exploited).<p>Point is what is the upside of disclosure (I think) vs. the downside. Nobody is suggesting no disclosure but the writer seemed to think that the security industrial complex has lawmakers believing that everything should be open and there should be constant white hat hacking which seems to feed and benefit the security industry.<p>I am curious if anyone has a thought on this topic.

I have grown respect for boeing after not paying this.

New security-through-obscurity tactic: make sure to automatically send lots of fake emails between employees, containing importantly-sounding words such as &quot;classified&quot;, &quot;secret&quot; and &quot;important&quot; — with some identifying characteristic that makes the employees&#x27; email clients ignore them.<p>Then an email dump of 45 GB of useful information could instead be 4.5 TB (with 1% useful information), and wading through all the non-information to find something useful will not be worth the time of the adversary. The more important information you have in emails the more you need to increase the misinformation-to-information ratio.

The moment a company pays good money, that legitimizes the hacking group and emboldens them to keep going. You can’t trust that they’ll not leak even after they get paid.

The market seems to think this is inconsequential.

<a href="https:&#x2F;&#x2F;archive.is&#x2F;LUqeb" rel="nofollow noreferrer">https:&#x2F;&#x2F;archive.is&#x2F;LUqeb</a>

When Boeing can&#x27;t match the salaries of Seattle tech companies, this is what happens.

I wonder if anything here is related to the MCAS disasters

we should be careful making the assumption that this is all the data they exfiltrated. this could easily just be the first tranche to prove that they’re serious

What if it is false information to harm opportunists?

lol no sht man, pay up and they’d still sell it behind their backs. Someone always have a copy

The bigger problem for Boeing will be that they probably have fraud evidence in the 45G.

LLM training fodder?

The never ending cost of low quality outsourced digital transformation. Pathetic how many large corps have been hit. And tax payer has to foot the ever growing bill to investigate and defend these useless orgs.

Can we stop using disk size as a measure of leaked data?<p>There are bluray movies larger than this leak and there are files smaller than 10kb a lot more critical in most businesses.<p>It&#x27;d be nice if there was some sort of scale for data leaks like (just spitballing here):<p>1. Leak destroys all core company functions (crypto-exchange leaks all wallet keys, CA leaks all root keys and becomes banned from all trust stores, etc.)<p>2. Leak causes regulatory issues criminal enough to shut down company<p>3. Leak severely hinders core company functions (deploy keys for a cloud computing SaaS are deleted which stops all new deployments until all infra is reconfigured)<p>4. Leak severely looses company competitive advantages (new products leak that are replicable by competitors)<p>5. Leak causes severe PR disaster<p>6. Leak shows embarrassing internal company communication without any of the above

I&#x27;m at an en-passe here, on the one hand I think Boeing sucks as it&#x27;s primary business is now hyper focused for defense purposes. On the other, ransomware generally hurts companies and municipalities that generally don&#x27;t deserve it.<p>Boeing, Lockheed Martin, Facebook, etc...deserve it

Like how can one download so many files from a company network and no alarm is set off ? What do the useless IT departments set up? Just employee spyware ?

The best way to mitigate attacks like this is simple: don&#x27;t hold the data in the first place. Beyond that, encrypting and limiting who has access to what, and logging who opens what when makes it much harder for attacks like these to go under the radar. Obviously, not every company is Google and having super sophisticated security practices is both hard to do from an engineering standpoint (requires lots of infra) _and_ requires staff to have a security focused mindset. This is not something a lot of places have, not even tech companies by trade. The cost benefit analysis isn&#x27;t high, so you end up with orgs that do things akin to dumping all corporate code into one Github account and then wonder how things went wrong when something bad happens.<p>Boeing Co, as a government contractor being hacked is obviously more concerning than a breach at $x company. It&#x27;s a shame. I&#x27;d say this is a learning opportunity, but it likely won&#x27;t be. Onto the next round of &quot;cybersecurity&quot; speak...