Full Report
For the latest discoveries in cyber research for the week of 9th March, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES AkzoNobel, a Netherlands-based global paint manufacturer, has confirmed a cyberattack affecting one of its United States sites. The company said the intrusion was contained, while the Anubis ransomware group claimed it stole […] The post 9th March – Threat Intelligence Report appeared first on Check Point Research.
Analysis Summary
# Incident Report: Anubis Ransomware Attack on AkzoNobel
## Executive Summary
AkzoNobel, a major Dutch paint manufacturer, confirmed a cyberattack targeting its United States operations. The Anubis ransomware group claimed responsibility, alleging the theft of 170 GB of sensitive data including employee and financial records, though the company stated the intrusion was successfully contained.
## Incident Details
- **Discovery Date:** Reported week of March 9, 2026
- **Incident Date:** Not specified (Recent)
- **Affected Organization:** AkzoNobel
- **Sector:** Manufacturing (Paint/Chemicals)
- **Geography:** United States (affected site); Netherlands (HQ)
## Timeline of Events
### Initial Access
- **Date/Time:** Not disclosed.
- **Vector:** Not specified in the report; however, the incident is linked to the Anubis ransomware group.
- **Details:** Access was gained to systems at a specific United States production or administrative site.
### Lateral Movement
- Details on internal traversing were not disclosed, but the threat actors successfully reached file repositories containing corporate data.
### Data Exfiltration/Impact
- **Exfiltration:** The Anubis group claims to have stolen 170 GB of data.
- **Data Types:** Employee records and financial documents.
### Detection & Response
- **Discovery:** Internal security monitoring identified the intrusion.
- **Response Actions:** AkzoNobel moved to contain the incident to the affected site to prevent further propagation across the global network.
## Attack Methodology
- **Initial Access:** Often associated with ransomware-as-a-service (RaaS) tactics (e.g., phishing, RDP exploitation).
- **Collection:** Gathering of sensitive financial and PII (Personally Identifiable Information).
- **Exfiltration:** Transfer of 170 GB of data to attacker-controlled infrastructure.
- **Impact:** Data breach and potential encryption (though "containment" was emphasized by the victim).
## Impact Assessment
- **Financial:** Potential regulatory fines and remediation costs (Specifics TBD).
- **Data Breach:** Exposure of 170 GB of confidential employee and financial data.
- **Operational:** Limited to one US site; global operations reportedly remained stable.
- **Reputational:** Public acknowledgment of a breach by a major global manufacturer.
## Indicators of Compromise
- **File indicators:** Known Anubis ransomware strains.
- **Behavioral indicators:** Large-scale data egress to external IPs during off-hours.
- **Network indicators:** [Information not available in the summary report].
## Response Actions
- **Containment:** Isoloated the affected United States site from the primary corporate network.
- **Investigation:** Launched a forensic analysis to verify the validity of the 170 GB data theft claim.
- **Public Disclosure:** Confirmed the attack to media and stakeholders to manage transparency.
## Lessons Learned
- **Regional Isolation Works:** The ability to contain an attack to a single geographical site prevents a global operational shutdown.
- **Ransomware Groups are Evolving:** Groups like Anubis are increasingly focusing on "extortion-only" or data theft rather than just system encryption.
## Recommendations
- **Zero Trust Architecture:** Implement strict segmentation between international sites to ensure a compromise in one region does not grant access to the global headquarters.
- **Data Loss Prevention (DLP):** Deploy DLP tools to flag and block the unauthorized movement of large volumes of financial or employee data.
- **Audit Access Logs:** Regularly review access logs for high-privilege accounts, especially those accessing US-based servers from unusual locations.