Boeing — LockBit ransomware leak

What happened

On 27 October 2023 LockBit published a notice on its extortion site listing Boeing as a new victim and setting a deadline of 2 November for the company to pay a ransom, after which LockBit threatened to release stolen data. Boeing confirmed publicly that it had experienced a “cyber incident” affecting its parts and distribution business unit. The company stated that flight safety was not affected — the incident did not touch avionics or operational flight systems — but acknowledged that its services business systems had been compromised.

Boeing declined to pay the ransom. When the deadline passed, LockBit extended it — a routine tactic used to maintain negotiating pressure. Boeing’s position did not change. On 10 November 2023, LockBit published approximately 43 gigabytes of stolen Boeing files on its leak site. The published data included parts inventory records, supplier contracts, operational documentation, and correspondence. Security researchers who reviewed the leaked files confirmed the data was genuine Boeing material.

The incident attracted significant attention beyond the data loss itself because of what it revealed about the attack vector. CISA, the FBI, the Multi-State ISAC, and the Australian Signals Directorate’s Australian Cyber Security Centre subsequently published a joint cybersecurity advisory (AA23-325A) on LockBit’s exploitation of the Citrix Bleed vulnerability, with Boeing cited as a named example. The advisory made clear that the same vulnerability had been used in a wave of attacks against large organisations in late 2023, including other high-profile victims in the financial services sector.

Boeing’s public response was minimal by design: the company confirmed the incident and its resolution, provided assurances on flight safety, and did not elaborate further. No detailed post-incident account has been published.

How it worked

The entry vector was CVE-2023-4966, a critical vulnerability in Citrix NetScaler ADC and NetScaler Gateway appliances, publicly branded as Citrix Bleed by security researchers at Assetnote who discovered and reported it. Citrix disclosed the vulnerability and issued patches on 10 October 2023. Within days of disclosure, threat actors — including LockBit affiliates — were mass-scanning the internet for unpatched NetScaler appliances and exploiting them at scale.

Citrix Bleed allowed an unauthenticated attacker to retrieve session tokens from vulnerable NetScaler appliances. Session tokens are the digital credentials that keep a user logged in after they have already authenticated — including after completing multi-factor authentication. By stealing valid session tokens, an attacker could bypass the authentication process entirely and gain access to the corporate network as if they were a legitimate user who had already passed all verification steps. MFA, which would normally be the control that blocks credential-only attacks, provided no protection because Citrix Bleed did not require credentials at all.

At Boeing, the vulnerable NetScaler appliance provided the initial foothold. From there, LockBit operators or their affiliates moved laterally through the parts and distribution business network, identifying and exfiltrating data of interest before deploying ransomware. The Boeing incident — like the ICBC Financial Services attack that followed two weeks later and used the same vulnerability — demonstrated the scale at which a single unpatched internet-facing appliance can expose an organisation to a sophisticated criminal group operating with speed and precision.

LockBit’s operations relied on an affiliate model: the group provided the malware, infrastructure, and extortion support, while individual affiliates conducted the actual intrusions and took a revenue share of any ransom paid. The Citrix Bleed campaign was conducted by affiliates who had identified the vulnerability as a high-yield access mechanism and exploited it systematically across multiple large targets in a short window.

Timeline

• 10 October 2023 — Citrix discloses CVE-2023-4966 (Citrix Bleed) and releases patches for NetScaler ADC and NetScaler Gateway.
• Shortly after 10 October — LockBit affiliates begin mass-exploitation of unpatched Citrix NetScaler appliances globally, including Boeing’s.
• 27 October 2023 — LockBit lists Boeing on its extortion site, sets 2 November deadline.
• 27 October 2023 — Boeing confirms “cyber incident” affecting its parts and distribution business. States flight safety unaffected.
• 2 November 2023 — LockBit deadline passes. Boeing has not paid. LockBit extends deadline.
• 10 November 2023 — LockBit publishes approximately 43 GB of Boeing data on its leak site.
• November 2023 — Security researchers confirm leaked data is genuine.
• 21 November 2023 — CISA, FBI, MS-ISAC, and ASD ACSC publish joint advisory AA23-325A on Citrix Bleed exploitation, naming Boeing as an example victim.
• February 2024 — Operation Cronos disrupts LockBit. NCA, DOJ, and Europol seize infrastructure and identify LockBit’s administrator.

What defenders should learn

Citrix Bleed is an object lesson in the patch window problem for internet-facing infrastructure. Citrix published the patch on 10 October 2023. Exploitation at scale was underway within days. For organisations that treat patch management as a monthly process, a fourteen-day patch window for a critical vulnerability in an internet-facing authentication gateway is not a patch window: it is an open door. Internet-facing appliances — VPN gateways, remote access platforms, load balancers, managed file-transfer systems — require a dedicated, accelerated patch cadence operated by a team that monitors vendor security bulletins in real time and treats critical remote-code-execution vulnerabilities as emergency-priority work.

The session-token theft mechanism is why MFA provided no protection here, and that is the most important technical detail for defenders to internalise. The assumption that MFA makes credential compromise irrelevant is wrong in the presence of post-authentication session-hijacking vulnerabilities. Citrix Bleed did not steal passwords; it stole the token that proved the user had already authenticated, including via MFA. The controls that help against this class of attack are token-binding mechanisms that tie session tokens to specific client characteristics, short session-timeout policies that limit the window in which a stolen token is valid, and anomaly detection on session activity that flags tokens being used from unexpected network locations or devices.

Boeing’s decision not to pay resulted in a data leak but not in a service disruption of the kind associated with fully-deployed ransomware. The data published was from the parts and distribution business and, while operationally sensitive, did not affect flight operations or defence-programme materials (at least according to publicly available information). The decision to refuse payment is consistent with the position taken by Royal Mail and Norsk Hydro before it, and the collective effect of high-profile refusals on ransomware group economics — while difficult to measure — is the principal argument that defenders and governments make for why paying is the wrong choice even when it is technically available.