Full Report
Fake emails already doing the rounds as ransomware crew boasts about what it allegedly stole UK enterprise software consultancy The Adaptavist Group is investigating a security breach after an intruder logged in with stolen credentials, while a ransomware crew claims it grabbed far more than the company is currently admitting.…
Analysis Summary
# Incident Report: Unauthorized Access and Alleged Data Exfiltration at The Adaptavist Group
## Executive Summary
The Adaptavist Group, a UK-based enterprise software consultancy, is investigating a security breach following the use of stolen credentials to access its internal systems. While the company maintains that only "typical business data" was accessed, the "The Gentlemen" ransomware group claims a total infrastructure compromise, including source code and customer records. The incident has been further complicated by third-party phishing campaigns targeting the company's clients using information related to the breach.
## Incident Details
- **Discovery Date:** Late March 2026
- **Incident Date:** Late March 2026
- **Affected Organization:** The Adaptavist Group
- **Sector:** Information Technology / Software Consultancy
- **Geography:** United Kingdom (Global Operations)
## Timeline of Events
### Initial Access
- **Date/Time:** Late March 2026
- **Vector:** Valid Accounts (Compromised Credentials)
- **Details:** An unauthorized actor logged into the corporate environment using stolen legitimate login details.
### Lateral Movement
- **Details:** Specific lateral movement techniques are currently under forensic investigation. However, the threat actor claims a "complete infrastructure compromise," suggesting movement from initial access points to broader internal systems.
### Data Exfiltration/Impact
- **Confirmed Impact:** Unauthorized access to "typical business data," including contracts, NDAs, and business contact information (names, emails, job roles).
- **Alleged Impact:** Threat actors claim to have exfiltrated hundreds of thousands of customer records, source code (e.g., ScriptRunner), internal credentials, and production system data.
- **Secondary Impact:** Emergence of "misleading correspondence" and phishing emails sent to partners and customers by an unknown third party impersonating Adaptavist.
### Detection & Response
- **Discovery:** Detected by internal monitoring in late March.
- **Response Actions:** CEO issued a formal notification; external security specialists were retained for a forensic audit; customer warnings regarding imposter emails were disseminated.
## Attack Methodology
- **Initial Access:** Valid Accounts (Stolen Credentials).
- **Persistence:** Not explicitly detailed; likely maintained via the compromised valid accounts.
- **Privilege Escalation:** Unknown; under investigation.
- **Defense Evasion:** Minimal initial noise due to the use of valid credentials.
- **Credential Access:** Likely obtained via external means (e.g., phishing, info-stealers) prior to the incident.
- **Discovery:** System and data enumeration by "The Gentlemen" ransomware group.
- **Lateral Movement:** Undisclosed; target claims suggest broad access.
- **Collection:** Automated or manual gathering of NDAs, contracts, and source code.
- **Exfiltration:** Data lifted for use as "leverage" in extortion.
- **Impact:** Data exfiltration and brand impersonation (Phishing).
## Impact Assessment
- **Financial:** Costs associated with forensic investigation and potential legal/regulatory fines (GDPR) pending the outcome of the data audit.
- **Data Breach:** Confirmed theft of B2B contact data; alleged theft of sensitive source code and production credentials.
- **Operational:** Business disruption limited to incident response activities; no reported outages of production services.
- **Reputational:** High risk due to the sensitivity of being an Atlassian ecosystem partner and the presence of imposter emails targeting clients.
## Indicators of Compromise
- **Network indicators:** No specific IPs provided in the report. [Defanged template: hxxp[://]gentlemen[.]leak[.]site]
- **File indicators:** Not disclosed.
- **Behavioral indicators:** Unusual login locations/times for specialized staff accounts; unauthorized access to contract and NDA directories.
## Response Actions
- **Containment:** Revocation of compromised credentials and monitoring of affected accounts.
- **Eradication:** Deployment of external forensic specialists to purge any remaining threat actor presence.
- **Recovery:** Restoration of trust through transparent communication and investigation into the validity of the threat actor's claims.
## Lessons Learned
- **Key Takeaways:** Credential-based attacks remain the primary entry point even for sophisticated tech consultancies. Threat actors are increasingly using breach notifications as a theme for follow-on phishing attacks.
- **What could have been done better:** Implementation of stricter Multi-Factor Authentication (MFA) policies (e.g., hardware keys) might have prevented the use of stolen credentials.
## Recommendations
- **Enforce Phishing-Resistant MFA:** Move beyond SMS or push-based MFA to FIDO2/WebAuthn standards.
- **Data Centric Security:** Encrypt or strictly silo sensitive business documents like NDAs and contracts with Just-In-Time (JIT) access.
- **Phishing Simulation:** Conduct drills specifically mimicking "incident notification" emails to prepare staff and customers for secondary social engineering.
- **Dark Web Monitoring:** Monitor for leaked employee credentials to proactively reset passwords before they are used for initial access.