Full Report
France's state-owned defense firm Naval Group is investigating a cyberattack after 1TB of allegedly stolen data was leaked on a hacking forum. [...]
Analysis Summary
# Incident Report: Naval Group 1TB Data Breach
## Executive Summary
French warship builder Naval Group suffered a significant data breach resulting in the exfiltration of approximately 1TB of sensitive data, including classified CMS for military vessels and technical documents. The breach was made public when threat actor 'Neferpitou' published a data sample on DarkForums and subsequently leaked the full dataset after failed ransom negotiations. The primary impact centers on the compromise of highly sensitive intellectual property and military defense information.
## Incident Details
- **Discovery Date:** July 23, 2025 (Date of initial public posting/threat actor activity)
- **Incident Date:** Prior to July 23, 2025 (Actual breach timeline is unknown, but data was published on this date)
- **Affected Organization:** Naval Group
- **Sector:** Defense Manufacturing (Warship Building)
- **Geography:** France (Primary operations, global export impacts)
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown (Data published July 23, 2025)
- **Vector:** Unknown (Likely external threat actor activity targeting sensitive data storage)
- **Details:** Threat actor 'Neferpitou' published a 13 GB sample of stolen data.
### Lateral Movement
- Unknown. The scope suggests successful internal access to retrieve a massive dataset (1TB).
### Data Exfiltration/Impact
- **What was stolen or damaged:** Approximately 1TB of data, including classified CMS for military vessels, technical documents, development VMs with simulation data, and internal communications.
### Detection & Response
- **How it was discovered:** The incident became public knowledge when the threat actor posted the data publicly on DarkForums on July 23, 2025.
- **Response actions taken:** The threat actor issued a 72-hour ultimatum to negotiate an extortion payment, which appears to have failed, leading to the full leak. Specific internal response actions by Naval Group are not detailed, other than the public knowledge of the data leak.
## Attack Methodology
- **Initial Access:** Unknown.
- **Persistence:** Unknown.
- **Privilege Escalation:** Unknown.
- **Defense Evasion:** Unknown, though the ability to exfiltrate 1TB suggests prolonged, undetected access.
- **Credential Access:** Unknown.
- **Discovery:** Unknown (Implied successful network/system discovery to locate sensitive files).
- **Lateral Movement:** Unknown.
- **Collection:** Successful organization and staging of 1TB of data.
- **Exfiltration:** Successful data transfer off-network, leading to publication on DarkForums.
- **Impact:** Data exposure and potential compromise of military system designs and operational secrets.
## Impact Assessment
- **Financial:** Unknown (Potential costs associated with incident response, notification, and contract/reputation damage).
- **Data Breach:** Exfiltration of approximately 1TB of highly sensitive data, including classified military system information (CMS) and technical specifications related to vessels exported globally (Australia, Brazil, India, Egypt).
- **Operational:** Potential severe disruption to future military projects and international partnerships due to IP loss.
- **Reputational:** Significant damage given the organization's critical role as the primary supplier to the French Navy.
## Indicators of Compromise
- **Network indicators:** Threat actor 'Neferpitou' used **DarkForums** as the publication platform.
- **File indicators:** Stolen files included classified CMS data, technical documents, and development VMs.
- **Behavioral indicators:** Actor issuing a short negotiation window (72 hours) before mass public release.
## Response Actions
- **Containment measures:** Not specified in the source, but context implies containment actions would follow the July 23rd publication.
- **Eradication steps:** Not specified.
- **Recovery actions:** Not specified.
## Lessons Learned
- **Key takeaways:** Critical defense contractors remain high-value targets, capable of massive data exfiltration. The use of post-BreachForums platforms like DarkForums facilitates low-friction cybercrime ecosystems.
- **What could have been done better:** The breach occurred with little internal detection prior to public assertion by the threat actor, highlighting potential gaps in defensive monitoring or perimeter security. The article notes the possibility of recycled data from a prior 2022 attack on Thales.
## Recommendations
- **Prevention measures for similar incidents:** Implement stronger network segmentation, improve monitoring for large-scale data egress events, enforce strict access controls on classified and technical documents, and conduct advanced threat hunting specific to intellectual property theft vectors. Review access controls relating to historical vulnerabilities utilized in similar sectors (e.g., previous ransomware targets like Thales).