Ransomware

Boeing LockBit Ransomware 2023: $200M Demand, Defense Contractor Breach

6 min read
2023-10-28
Share Article
LinkedIn
X (Twitter)
Facebook
BREACH INTELLIGENCE
breach date

2023-10-28

Industry

Aerospace & Defense

Severity

High

Records Exposed

43GB data leaked

Financial Impact

$200M demanded

Breach Summary

The Boeing LockBit attack of October 2023 was one of the highest-profile ransomware incidents of the year, with the LockBit ransomware group initially claiming a $200 million ransom demand against one of the world's largest defense contractors before publishing stolen data when Boeing did not pay. The attack targeted Boeing's global services and parts distribution business rather than aircraft manufacturing or defense systems.

What Happened

LockBit claimed the Boeing breach on October 27, 2023, setting a ransom deadline and claiming $200 million in demanded payment. Boeing acknowledged the incident as affecting its parts and distribution business. When Boeing did not pay by the deadline, LockBit published approximately 43GB of stolen data including internal documents, supplier information, and technical data. The FBI and CISA subsequently attributed the intrusion to the Citrix Bleed vulnerability (CVE-2023-4966), which had been disclosed in October 2023 and exploited widely before patches were applied.

Attack Vector Detail

LockBit affiliates compromised Boeing's distribution and services division systems using the Citrix Bleed vulnerability (CVE-2023-4966), a critical authentication bypass in Citrix Netscaler that allowed session token theft without credentials. The same vulnerability was exploited against dozens of other organizations during the same period. LockBit claimed on its leak site in late October 2023 that it had stolen 'a tremendous amount of sensitive data' from Boeing and set a ransom deadline. Boeing did not pay, and LockBit published approximately 43GB of stolen data in November 2023.

Breach Pattern Timeline

October 27, 2023

LockBit ransomware affiliate exploits CVE-2023-4966 ('Citrix Bleed') against Boeing's Citrix NetScaler infrastructure. The vulnerability allows session token theft from internet-facing Citrix devices, bypassing MFA.

October 27 - November 9, 2023

LockBit gains internal access via stolen session tokens. Conducts reconnaissance and exfiltrates approximately 43 GB of Boeing data including engineering documents, IT and HR records, and supplier information.

November 10, 2023

LockBit publicly lists Boeing on its dark web leak site, demanding ransom and threatening data publication. Sets short deadline.

November 21, 2023

Boeing 8-K SEC filing discloses cyberattack against Boeing Distribution. Confirms data exfiltration. Boeing does not pay the ransom.

November 10, 2023 (CISA bulletin)

CISA, FBI, and ASD/ACSC publish joint cybersecurity advisory specifically calling out LockBit's Citrix Bleed exploitation against Boeing and other organizations. Citrix Bleed becomes one of the most-exploited vulnerabilities of late 2023.

November 2023

LockBit publishes ~43GB of Boeing data after Boeing refuses to pay. Among the disclosed data: engineering specifications, supply chain documentation, internal communications.

February 19-20, 2024

Operation Cronos — coordinated international law enforcement action against LockBit — seizes LockBit infrastructure, dark web sites, decryption keys, and identifies LockBit administrators. UK NCA leads operation; FBI, Europol, and 10+ national agencies participate.

May 7, 2024

U.S. Treasury OFAC sanctions and DOJ indictment of Dmitry Khoroshev (LockBitSupp) — the alleged LockBit administrator. $10M reward issued for his location.

2024-2026

Boeing-LockBit case becomes part of the broader LockBit takedown narrative. Citrix Bleed (CVE-2023-4966) remains a top-exploited vulnerability across government and enterprise environments through 2024-2025.

Total impact: ~43GB Boeing data exfiltrated and leaked after refusing to pay ransom, foundational precedent for Citrix Bleed (CVE-2023-4966) impact and LockBit's eventual law enforcement disruption via Operation Cronos.

Executive Lessons

The Boeing attack demonstrated that defense contractors are not exempt from commodity ransomware attacks against their commercial divisions. The Citrix Bleed vulnerability was widely publicized before the Boeing attack — organizations that had not patched were exploited. Segmentation between commercial and classified systems is essential.

Related Reading

Private Equity Implications

Boeing's breach demonstrated that even the most security-conscious defense contractors face commodity ransomware attacks against commercial divisions. For PE sponsors with aerospace, defense, or government services portfolio companies, the Boeing case reinforces that commercial division security must meet the same standard as classified or sensitive program security — because a breach of commercial systems carries the same reputational and regulatory consequences.

How Cloudskope Can Help

Cloudskope's vulnerability management assessments and external attack surface reviews specifically evaluate Citrix Netscaler and other remote access infrastructure for the authentication bypass vulnerability classes exploited in the Boeing and LoanDepot attacks.

Frequently Asked Questions

What was the Boeing LockBit attack?

In October 2023, the LockBit ransomware group claimed an attack on Boeing's parts and distribution business, threatening to publish stolen data unless Boeing paid a ransom. Boeing did not pay the ransom; LockBit subsequently published approximately 43GB of stolen data including internal Boeing documents in November 2023. Boeing disclosed the incident in regulatory filings and emphasized that flight safety operations were not affected.

How did attackers compromise Boeing?

The attack was attributed to exploitation of CVE-2023-4966, a critical vulnerability in Citrix NetScaler ADC and Gateway products known as Citrix Bleed. The vulnerability enabled credential theft from affected Citrix appliances; LockBit affiliates used those credentials to obtain initial access to Boeing's parts business environment. The Citrix Bleed vulnerability was used in multiple major 2023-2024 breaches including the Industrial and Commercial Bank of China incident.

What data did LockBit publish?

LockBit published approximately 43GB of stolen Boeing data in November 2023 including aircraft parts inventory records, internal correspondence, and supplier information. Boeing stated that the published data did not include flight safety-related information or sensitive classified material. The publication occurred after Boeing refused to pay the ransom demand.

Did Boeing pay LockBit?

No. Boeing did not pay the ransom demand. The decision aligned with U.S. government discouragement of ransomware payments and with Boeing's defense industry standing — paying a ransom to a sanctioned criminal organization would have created significant regulatory complications. The publication of stolen data was the predictable consequence of refusing to pay.

What did the Boeing LockBit incident establish?

The Boeing incident demonstrated that critical infrastructure and defense industrial base companies are not immune from ransomware attacks targeting commercial business operations. It also reinforced the operational pattern of Citrix Bleed-based initial access, which contributed to widespread regulatory and industry attention to remote access infrastructure security in late 2023 and 2024.