Full Report
The multinational Dutch paint company AkzoNobel has confirmed to BleepingComputer that hackers breached the network of one of its U.S. sites. [...]
Analysis Summary
# Incident Report: AkzoNobel U.S. Site Ransomware Breach
## Executive Summary
AkzoNobel, a leading Dutch multinational paint and coatings company, confirmed a cyberattack targeting one of its U.S.-based sites. The incident, attributed to the Anubis ransomware-as-a-service (RaaS) group, resulted in the exfiltration of approximately 170GB of sensitive data. The company has since contained the incident and reported that the operational impact was limited to the single affected site.
## Incident Details
- **Discovery Date:** March 2026 (Reported)
- **Incident Date:** February – March 2026
- **Affected Organization:** AkzoNobel (U.S. Subsidiary Site)
- **Sector:** Manufacturing (Chemicals/Paint/Coatings)
- **Geography:** United States
## Timeline of Events
### Initial Access
- **Date/Time:** Undisclosed; prior to March 3, 2026.
- **Vector:** Precise vector not disclosed; likely affiliate-led via typical RaaS entry points (e.g., Phishing, vulnerable VPNs, or RDP).
- **Details:** Attackers compromised the network of a specific U.S. facility.
### Lateral Movement
- **Details:** The threat actor navigated the local site network to identify and aggregate high-value documentation, including passport scans and client agreements.
### Data Exfiltration/Impact
- **Data Volume:** ~170GB across approximately 170,000 files.
- **Content:** Confidential client agreements, PII (Passport scans), contact information (emails/phone numbers), private correspondence, and technical specification/testing sheets.
- **Impact:** Partial data leak on the Anubis extortion portal.
### Detection & Response
- **Discovery:** Triggered by internal detection systems and/or the appearance of data on the Anubis leak site.
- **Response Actions:** Localized isolation of the affected site's network to prevent lateral movement to global AkzoNobel infrastructure.
## Attack Methodology
*Note: Specific technical details are based on known Anubis RaaS tactics.*
- **Initial Access:** Often via compromised credentials or vulnerability exploitation.
- **Persistence:** Not explicitly detailed; typically involves registry keys or scheduled tasks.
- **Privilege Escalation:** Standard RaaS tools (e.g., Mimikatz, Cobalt Strike).
- **Defense Evasion:** Use of legitimate administrative tools to avoid signature-based detection.
- **Credential Access:** Likely harvesting via local memory or unsecured configuration files.
- **Discovery:** Network scanning to identify file servers containing technical specs and PII.
- **Lateral Movement:** SMB/RDP movement within the site network.
- **Collection:** Automated staging of 170,000 files.
- **Exfiltration:** Data pushed to Anubis-controlled infrastructure prior to any encryption.
- **Impact:** Data theft and extortion. (Anubis also possesses a "Data Wiper" capability, though not confirmed as used in this specific instance).
## Impact Assessment
- **Financial:** Undisclosed; potential for regulatory fines related to PII exposure (GDPR/CCPA).
- **Data Breach:** High; 170GB of proprietary technical data and sensitive employee/client PII.
- **Operational:** Low; incident was limited to a single site and contained quickly.
- **Reputational:** Moderate; exposure of high-profile client agreements and internal technical specs.
## Indicators of Compromise
- **Network indicators:**
- Traffic to Anubis leak site: hxxp[://]anubis[.]onion (defanged)
- Unusual outbound data transfers to cloud storage providers.
- **File indicators:**
- Ransom notes typically associated with Anubis.
- **Behavioral indicators:**
- Large scale "directory crawling" on file servers.
- Unauthorized account activity originating from U.S. site IPs.
## Response Actions
- **Containment:** Isolated the affected U.S. site network from the global corporate WAN.
- **Eradication:** Evicted threat actor sessions and reset compromised credentials.
- **Recovery:** Engaged with relevant authorities and initiated notification processes for impacted parties.
## Lessons Learned
- **Network Segmentation:** The isolation of the breach to a single site demonstrates the effectiveness of AkzoNobel's existing segmentation, preventing a global catastrophe.
- **RaaS Evolution:** The rapid rise of Anubis (founded Dec 2024) and its move to the RAMP forum in 2025 highlights the speed at which new threats can achieve significant compromises.
## Recommendations
- **Enhanced PII Monitoring:** Implement Data Loss Prevention (DLP) tools to alert on the movement of passport scans and confidential agreements.
- **Vulnerability Management:** Ensure all U.S.-based perimeter assets (VPNs/Firewalls) are patched against recent exploits often used by RaaS affiliates.
- **Zero Trust Architecture:** Implement strict identity-based access controls to limit lateral movement even if a single site network is breached.
- **Audit Logging:** Maintain 90+ days of logs for internal file server access to facilitate faster forensic reconstruction.