General Electric (GE) is investigating claims that the threat actor "IntelBroker" breached GE's development environment.
The threat actor is reportedly selling access to GE's "development and software pipelines" on a hacking forum for $500. The threat actor then posted both network access and allegedly stolen data for sale.
The threat actor claimed that the stolen data included "a lot of DARPA-related military information, files, SQL files, documents etc." The threat actor shared screenshots of the allegedly stolen data, including what appears to be a GE Aviations database containing military project information.
A GE spokesperson stated that it is aware of the claims and investigating the possible data breach. The spokesperson said they will "take appropriate measures to help protect the integrity of our systems."
Although the breach has not been confirmed, IntelBroker is known to have carried out "successful, high-profile cyberattacks in the past," including stealing sensitive personal data from DC Health Link, a healthcare marketplace used by many White House and U.S. House of Representatives staffers.
In that breach, a server was misconfigured, making it accessible online. Lawrence Abrams "General Electric investigates claims of cyber-attack, data theft" www.bleepingcomputer.com (Nov. 25, 2023).
After a breach, to prevent additional unauthorized access and more stolen data, organizations must act quickly to secure their networks as soon as they learn of a successful cyberattack.
To promote quick action, it is important to have a data breach response plan in place that includes the following steps from the Federal Trade Commission (FTC).
A first step is to "secure your systems and fix vulnerabilities that may have caused the breach" by taking all affected devices offline immediately. However, do not turn off the machines until your forensic experts have examined them.
Remember, criminals may have access to your network until you change login credentials. After a breach, always require new credentials and passwords for authorized users.
If you think that criminals may have physical access to services, you need to secure the servers immediately.
Immediately "mobilize your data response team" to determine the exact steps your organization needs to take to prevent additional data loss.
You should already have a list of experts in case of a breach. The experts should include "a team of experts to conduct a comprehensive breach response," consider including independent forensic investigators, your legal counsel, information security and technology, human resources, and your communications team.
Another consideration is to work with forensics experts and law enforcement to determine when you can resume operations. "Data Breach Response: A Guide for Business" www.ftc.gov (Feb. 2021).