{
	"id": "308d6d39-f739-4ad2-9296-bd556f8b7f4f",
	"created_at": "2026-04-06T00:08:32.589416Z",
	"updated_at": "2026-04-10T03:21:20.494019Z",
	"deleted_at": null,
	"sha1_hash": "58b904e0b3b494b5535511e28fb4dec605de6d3b",
	"title": "Clop ransomware gang leaks online what looks like stolen Bombardier blueprints of GlobalEye radar snoop jet",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 45861,
	"plain_text": "Clop ransomware gang leaks online what looks like stolen\r\nBombardier blueprints of GlobalEye radar snoop jet\r\nBy Gareth Corfield\r\nPublished: 2021-02-23 · Archived: 2026-04-05 22:27:24 UTC\r\nThe Clop ransomware gang claims to have stolen documents from aerospace giant Bombardier’s defense division\r\n– and has leaked what appears to be a CAD drawing of one of its military aircraft products, raising fears over what\r\nelse they’ve got.\r\nOver on their Tor hidden service, the cyber-extortionists published what they said were screenshots of blueprints\r\nswiped from Bombardier as evidence of their crimes. The gang abused the same vulnerability in file-transfer\r\nsoftware from Accellion that was exploited earlier this year to nab documents from Trump's lawyers.\r\nBombardier confirmed its security had been breached, putting out a public statement only minutes after The\r\nRegister grilled the Canadian business jet maker on the Clop gang's claims. “An initial investigation revealed that\r\nan unauthorized party accessed and extracted data by exploiting a vulnerability affecting a third-party file-transfer\r\napplication, which was running on purpose-built servers isolated from the main Bombardier IT network,” the biz\r\nsaid.\r\nBombardier added it is working with “cybersecurity and forensic professionals,” and insisted it “was not\r\nspecifically targeted — the vulnerability impacted multiple organizations using the application.” A spokeswoman\r\nconfirmed the breach came about thanks to a hole in an Accellion file-transfer product.\r\nThus, Bombardier was among various corporations using Accellion's vulnerable file-transfer software, which were\r\nexploited to pilfer documents. A flaw in the application was revealed in December, and it appears criminals were\r\nquick to make hay before the world got round to patching their deployments.\r\nAround 130 Bombardier employees in Costa Rica were “impacted” by the hack, we're told, suggesting their\r\npersonal information was obtained or otherwise accessed by miscreants.\r\nRadar antenna and military jet\r\nPictures dumped online by Clop, and seen by The Register, showed a CAD rendering of a Bombardier GlobalEye\r\naircraft, a Global 6000 business jet converted to carry a distinctive Saab Erieye plank-style radar mounted on top\r\nof its fuselage. A second picture showed a detailed 3D view of what appeared to be a radar head complete with its\r\nmounting.\r\nThe screenshots also showed an email seemingly sent by an employee of Marshall Aerospace of Cambridge, UK,\r\nwhich has previously worked on military conversions of Global 6000s for various countries.\r\nExperts, almost all of whom spoke to us on condition of anonymity because they were not authorized to speak\r\npublicly, drew different conclusions about the radar equipment in the picture leaked by Clop.\r\nhttps://www.theregister.com/2021/02/23/bombardier_clop_ransomware_leaks/\r\nPage 1 of 2\n\nOne, with extensive professional experience of airborne radars, suggested the hardware was a passive array\r\nantenna with beam-forming wave guides mounted behind it. Another suggested it was consistent with\r\nmechanically scanning radar heads mounted in aircraft, saying: “My first thought upon seeing it was that it\r\nreminded me of the old 1970s and 1980s vintage radar arrays in the F-15 Eagles.”\r\nA third said: “I think I know; if so, it’s no comment, I’m afraid”.\r\nPhilip Ingram, a former British intelligence officer and now a security commentator, told The Register: “The\r\naircraft looks like the GlobalEye,” adding: “It could be a Synthetic Aperture Radar image but neither picture\r\nwould be sensitive in the detail – they look like they could be out of sales or pre-sales literature.”\r\nThe Global 6000 airframe used for the GlobalEye also forms the basis of the British Royal Air Force’s Sentinel\r\nairborne early-warning aircraft. In the orientation shown in the CAD image, the radar antennas could be the ones\r\nmounted in the Sentinel’s long ventral radome, pictures of which can be seen in this Royal Aeronautical Society\r\nfeature about the aircraft.\r\nIt’s more likely that the actor responsible for the file-transfer application hacks has delegated the\r\nextortion to Clop\r\nClop has made a habit of targeting high-profile companies for its ransomware extortion activities, which consist of\r\ninfiltrating a businesses' networks, exfiltrating and encrypting files, and then demanding payment to not only\r\ndecrypt and restore the scrambled data but also to not publicly release the sensitive purloined materials.\r\nBrett Callow of infosec firm Emsisoft told The Register that while Clop is bragging about the intrusion, it may not\r\nhave been the ransomware gang itself that broke into the corporations.\r\n“It’s more likely that the actor responsible for the file-transfer application (FTA) hacks has delegated the extortion\r\nto Clop, as they have the necessary infrastructure and expertise,” he said. “Other organizations which have\r\ndisclosed FTA breaches include the Reserve Bank of New Zealand, the Australian Securities and Investments\r\nCommission, and Colorado University – and it’s not at all unlikely that Clop has those organizations’ data, too.”\r\nClop also last year hit Software AG. What’s the lesson here? Patch your IT estate promptly and watch out for\r\nthird-party suppliers. ®\r\nSource: https://www.theregister.com/2021/02/23/bombardier_clop_ransomware_leaks/\r\nhttps://www.theregister.com/2021/02/23/bombardier_clop_ransomware_leaks/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.theregister.com/2021/02/23/bombardier_clop_ransomware_leaks/"
	],
	"report_names": [
		"bombardier_clop_ransomware_leaks"
	],
	"threat_actors": [],
	"ts_created_at": 1775434112,
	"ts_updated_at": 1775791280,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/58b904e0b3b494b5535511e28fb4dec605de6d3b.pdf",
		"text": "https://archive.orkl.eu/58b904e0b3b494b5535511e28fb4dec605de6d3b.txt",
		"img": "https://archive.orkl.eu/58b904e0b3b494b5535511e28fb4dec605de6d3b.jpg"
	}
}