Boeing LockBit ransomware via Citrix Bleed (2023)

In late October 2023, the LockBit ransomware operation announced it had stolen "a tremendous amount" of data from Boeing and would publish it unless the aerospace giant paid by 2 November. Boeing confirmed an incident affecting its parts and distribution business on 2 November and declined to pay. On 10 November, LockBit released approximately 45 GB of Boeing data publicly. Analysis of the leak indicated the attackers had exploited the Citrix Bleed vulnerability (CVE-2023-4966) for initial access.

What happened

Boeing's parts and distribution business is the global infrastructure that handles spare-part orders, technical-supplier coordination, and the routine commercial flow of aerospace components. On 27 October 2023, LockBit posted a public claim threatening release of stolen Boeing data unless a ransom was paid by 2 November. Boeing confirmed it was responding to a cyber incident the same day the deadline passed and declined to negotiate.

On 10 November, LockBit released all the data it claimed to have — approximately 43–45 GB. The contents included:

Citrix logs dated as recently as 22 October 2023.
Email backups, provisioning service data.
Audits and security-control documents.
Boeing training materials.
Lists of Boeing's technical suppliers and distributors across Europe and North America (names, locations, phone numbers).
Boeing financial details including sales, rebates, cost of poor quality (COPQ) reports, and pricing data for 2020.

Researchers cross-referencing the leaked material against published vulnerability data concluded that LockBit likely exploited CVE-2023-4966 (Citrix Bleed) to gain initial access — the same flaw used in the contemporaneous ICBC attack.

Impact

~45 GB of Boeing data released publicly.
Supplier and distributor contact data, internal pricing, and audit documents exposed.
Boeing refused to pay — one of the highest-profile no-pay decisions in U.S. ransomware.
Citrix Bleed (CVE-2023-4966) confirmed as the initial-access vector.

Why it matters

The Boeing case combines two firsts on a public scale: Citrix Bleed at industrial scale (also seen at ICBC) and a major U.S. defence-adjacent contractor publicly refusing to pay LockBit. The leak's content composition — supplier lists, pricing data, COPQ reports — also shows how thoroughly modern ransomware extortion harvests commercial intelligence from a target before the encryption stage.

Timeline

October 27, 2023

LockBit claims it has stolen 'a tremendous amount' of sensitive data from Boeing and demands a ransom by 2 November 2023.

November 2, 2023

Boeing confirms it is responding to a cyber incident impacting its parts and distribution business. LockBit's ransom deadline passes; Boeing declines to pay.

November 10, 2023

LockBit releases all data it claims to hold from Boeing — approximately 43–45 GB — to its dark-web leak site. Contents include Citrix logs, email backups, audit and security-control documents dated as recently as 22 October 2023.

November 1, 2023

Researchers analysing leaked material conclude LockBit likely exploited CVE-2023-4966 ('Citrix Bleed') as the initial access vector.

Sources

cybersecuritydive.comhttps://www.cybersecuritydive.com/news/boeing-files-leaked-claim/699579/

theregister.comhttps://www.theregister.com/2023/11/10/lockbit_leaks_boeing_files/

securityweek.comhttps://www.securityweek.com/ransomware-group-leaks-files-allegedly-stolen-from-boeing/

therecord.mediahttps://therecord.media/boeing-investigating-leaked-lockbit-data

securityaffairs.comhttps://securityaffairs.com/154115/cyber-crime/lockbit-ransomware-leaked-boeing-data.html

Related incidents

RansomwareContainedNovember 9, 2023

ICBC Financial Services LockBit ransomware (2023)

LockBit ransomware disrupted the U.S. broker-dealer arm of the world's largest bank, ICBC, jamming settlement of over $9 billion in U.S. Treasury trades. Bank staff sent critical settlement details by USB stick via a messenger across Manhattan. $62 billion of Treasuries failed to deliver in one day.

Victim: ICBC Financial Services (U.S. broker-dealer of Industrial and Commercial Bank of China)
Loss: $9.00B

RansomwareContainedAugust 1, 2022

Continental AG LockBit ransomware (Germany, 2022)

LockBit operators infiltrated parts of German auto-parts giant Continental AG's IT systems in August 2022. Containment was initially declared, but in November the group put 40 terabytes of stolen Continental data on its dark-web leak site, offered for sale or destruction for $50 million.

Victim: Continental AG

RansomwareContainedDecember 8, 2023

Westpole LockBit ransomware — Italian PA outage (2023)

LockBit 3.0 encrypted the data centres of Italian cloud provider Westpole, taking down PA Digitale's Urbi platform — which serves 1,300 Italian public administrations including 540 municipalities, the Quirinale presidency, ISTAT, the Bank of Italy, and the Ministry of Environment. Payroll, citizen services, and local-government workflows were degraded for weeks.

Victim: Westpole / PA Digitale (Urbi platform)

RansomwareContainedFebruary 8, 2023

Indigo Books LockBit ransomware

LockBit affiliates encrypted Canada's largest bookseller, taking the website and in-store payment systems offline for weeks. Indigo publicly refused the ransom; LockBit published employee personal data.

Victim: Indigo Books & Music Inc.
Loss: $40.0M
Records: 5.0K