Qilin Ransomware Group Announces 4TB Data Breach Involving Nissan CBI

The Qilin ransomware group has announced a significant data breach at Nissan’s Creative Box Inc. (CBI), allegedly compromising 4TB of sensitive data, including vehicle design files and financial records.

According to the group, Nissan CBI, which operates as a design subsidiary of Nissan Motor Co., Ltd. in Tokyo, has been targeted, with threats to release sensitive documents unless their demands are met.

In a post on their dark web site, Qilin claimed to have exfiltrated over 4 terabytes of information comprising 405,882 files. The data reportedly includes 3D design specifications, project reports, photographs, videos, and various internal documents associated with Nissan automotive initiatives.

The ransomware group stated, “The 4TB of data we have obtained contains comprehensive details such as 3D designs, reports, photos, videos, and multiple documents pertaining to Nissan automobiles. While we do not intend to disseminate all this data immediately, persistent disregard from Nissan may lead to its release, allowing access to critical information for competitors and others.”

Screenshot from Qilin’s dark web leak site, with images blurred for product confidentiality. (Image credit: Hackread.com)

Contents of the Leaked Files

As evidence, Qilin shared four sample files. The first represents 3D CAD-like renderings of a Nissan vehicle, displaying both low and high-polygon models with specific triangle counts, indicating access to advanced design data relevant to prototyping. A second file, a spreadsheet in Japanese, appears to detail financial or operational figures, project deadlines, and budget estimates, featuring color-coded sections that suggest thorough internal planning efforts.

The third file features a photorealistic rendering of a Nissan car’s interior, showcasing intricate designs of the dashboard and seating. The fourth image depicts staff utilizing virtual reality headsets to interact with 3D vehicle designs, highlighting Nissan CBI’s integration of VR technology in their design processes.

If these files are verified, they could provide significant insight to competitors or counterfeiters regarding Nissan’s proprietary design methods.

The Rising Threat of Qilin Ransomware

Active since 2022, Qilin, also known as Agenda, has been recognized for its focus on high-profile organizations through a ransomware-as-a-service model. The group gained widespread notoriety following a 2024 attack on NHS supplier Synnovis in London that severely disrupted medical services and allegedly resulted in patient harm.

Should Nissan CBI’s claims prove authentic, the implications of exposing confidential vehicle designs and internal documents could pose both competitive challenges and reputational risks for the company. Trade secrets within the automotive design sector are typically highly protected, and any breach threatens to provide rivals access to critical design information.

Seeking Response from Nissan

Hackread.com has reached out to Nissan for a statement regarding the allegations made by Qilin. As of now, no official response has been provided.

Source

Related Posts

Google Reports APT41’s Exploitation of Open Source GC2 Tool to Target Media and Job Websites

April 17, 2023
Cyber Threat / Cloud Security

A Chinese nation-state group has reportedly targeted an unnamed Taiwanese media outlet using an open-source red teaming tool called Google Command and Control (GC2). This activity is part of a larger trend of utilizing Google’s infrastructure for malicious purposes. Google’s Threat Analysis Group (TAG) attributes the operation to a threat actor known as HOODOO, also identified as APT41, Barium, Bronze Atlas, Wicked Panda, and Winnti. The attack begins with a phishing email that includes links to a password-protected file on Google Drive. This file contains the Go-based GC2 tool, which retrieves commands from Google Sheets and exfiltrates data via the cloud storage service. “Once installed on the victim’s machine, the malware queries Google Sheets for attacker commands,” stated Google’s cloud division in its latest Threat Horizons Report.

New QBot Banking Trojan Campaign Exploits Business Emails to Distribute Malware

April 17, 2023
Financial Security / Malware

Recent findings by Kaspersky reveal a fresh QBot malware campaign that uses compromised business correspondence to deceive victims into installing the malicious software. This ongoing operation, which began on April 4, 2023, is primarily targeting users in Germany, Argentina, Italy, Algeria, Spain, the U.S., Russia, France, the U.K., and Morocco.

QBot, also known as Qakbot or Pinkslipbot, has been active since at least 2007. It not only steals passwords and cookies from web browsers but also acts as a backdoor for delivering next-stage payloads like Cobalt Strike or ransomware. Distributed through phishing campaigns, QBot has undergone continuous updates to incorporate techniques that evade detection, such as anti-VM, anti-debugging, and anti-sandbox measures. Notably, it emerged as the most prevalent malware in March 2023, according to Check Point. In its early distribution, it relied on infected websites and other methods.

Iranian State-Sponsored Hackers Target U.S. Energy and Transportation Infrastructure

April 19, 2023
Cyber Threat / SCADA

A subgroup of Iranian state-backed hackers, identified as Mint Sandstorm, has been implicated in a series of attacks against critical U.S. infrastructure from late 2021 to mid-2022. According to Microsoft’s Threat Intelligence team, this group demonstrates a high level of technical expertise, with the ability to create custom tools and rapidly exploit known vulnerabilities. Their operational focus aligns closely with Iran’s national interests, targeting seaports, energy firms, transit systems, and a major U.S. utility and gas company. These cyber activities are believed to be retaliatory, stemming from prior attacks on Iran’s maritime, railway, and gas station payment systems between May 2020 and late 2021. Iran has alleged that these earlier attacks were orchestrated by Israel and the U.S. to incite domestic unrest.

U.S. and U.K. Alert on Russian Hackers Utilizing Cisco Router Vulnerabilities for Espionage

April 19, 2023
Network Security / Cyber Espionage

Cybersecurity and intelligence agencies from the U.S. and U.K. have issued a warning about Russian state-sponsored actors exploiting recently patched vulnerabilities in Cisco networking equipment for reconnaissance and malware deployment against specific targets. These intrusions occurred in 2021 and affected a limited number of entities across Europe, U.S. government agencies, and around 250 Ukrainian victims. The activity has been linked to the threat group APT28, also known as Fancy Bear, Forest Blizzard (formerly Strontium), FROZENLAKE, and Sofacy, which is connected to the Russian General Staff Main Intelligence Directorate (GRU). The National Cyber Security Centre (NCSC) noted that APT28 gained access to vulnerable routers using default and weak SNMP community strings, as well as by exploiting CVE-2017-6742, a remote code execution vulnerability with a CVSS score of 8.8.