AkzoNobel, the Dutch multinational paints and coatings company behind Dulux, Sikkens, International, and Interpon, confirmed a cyberattack at one of its US facilities after the Anubis ransomware gang published sample data from an alleged 170GB exfiltration. AkzoNobel (which generates over $12 billion in annual revenue and employs approximately 35,000 people across 150+ countries) stated the incident was "limited to the respective site and was already contained." Anubis claims to have exfiltrated approximately 170,000 files including confidential client contracts, internal communications, passport copies, and technical specifications, publishing sample materials on its leak site as proof. AkzoNobel has not disclosed whether it has entered negotiations with the attackers or whether any ransom has been paid.

What Happened

The breach came to light when the Anubis ransomware gang posted sample data from AkzoNobel on its dark web leak site; the standard double-extortion disclosure used to pressure victims into payment. AkzoNobel confirmed the incident to BleepingComputer, stating it identified "a security incident at one of our sites in the United States," that the incident was contained to a single location, and that the company is "taking the appropriate steps to notify and support impacted parties" while working with relevant authorities.

The company's statement is notably minimizing: "limited to the respective site" and "impact is limited" are containment framings that speak to internal spread, not to the scope of what was exfiltrated. Anubis's 170GB claim across 170,000 files is not addressed by AkzoNobel's statement. The sample materials published by Anubis (screenshots and file listings showing client contracts, passport copies, and technical documentation) suggest meaningful operational data was accessed, not merely peripheral systems.

AkzoNobel has not disclosed the timeline of the attack, the specific US site affected, or the attack vector. The company declined to comment on ransom negotiations.

Anubis is a RaaS operation launched in December 2024 that expanded aggressively through an affiliate recruitment campaign on underground forums in February 2025, offering affiliates up to 80% of ransom payments (an unusually high revenue share designed to attract experienced operators. In June 2025, Anubis added a destructive data erasure capability) a tool that permanently destroys victim data if the ransom is not paid, eliminating the recovery option entirely and maximizing pressure.

What Was Taken

Per Anubis's claim, with sample materials published as proof:

Volume: ~170GB, ~170,000 files

Categories: - Confidential contracts with major clients: commercial agreements, likely including pricing, product specifications, and supply terms - Contact details: customer and partner contact information - Internal communications: emails, memos, or internal correspondence - Passport copies: identity documents belonging to employees or contractors - Testing documentation: product testing records, quality assurance data, compliance documentation - Technical specifications: product formulation data, manufacturing process documentation, or engineering specifications

The presence of passport copies and technical specifications in the confirmed sample is significant. Passport copies indicate HR or travel management data was accessible from the compromised site's systems. Technical specifications for a coatings and paints manufacturer may include proprietary formulation data; commercially sensitive intellectual property that has value independent of ransom payment to competitors or state actors.

AkzoNobel has not confirmed or denied the data categories listed by Anubis.

Why It Matters

AkzoNobel operates in sectors with national security adjacency. AkzoNobel's coatings portfolio, under brands like International and Sikkens, includes marine, protective, and industrial coatings used in shipbuilding, energy infrastructure, and aerospace. Technical specifications from a coatings manufacturer are not generic business records; they may include formulation data for corrosion-resistant, fire-retardant, or specialized industrial coatings with applications in critical infrastructure. State-sponsored threat actors and sophisticated commercial competitors have material interest in this data category beyond the ransom transaction.

Anubis's destructive erasure capability changes the calculus. Most ransomware operators use encryption as leverage for payment (restoration is theoretically possible if you pay. Anubis added a permanent data destruction tool in June 2025, meaning they can permanently delete victim data if negotiations fail. For AkzoNobel, this means the 170,000 files Anubis holds are potentially subject to irreversible destruction) not just publication; if the company does not engage. This is a qualitative escalation in victim leverage compared to encryption-only operators.

The RaaS affiliate model amplifies the threat. Anubis's 80% affiliate revenue share is among the highest in the current RaaS marketplace, designed to attract experienced operators who could otherwise work for larger, more established groups. High affiliate share accelerates the pipeline of targets and attacks; affiliates are incentivized to run parallel campaigns rather than focusing on one victim at a time. AkzoNobel is likely one of multiple simultaneous Anubis campaigns.

"Contained to one site" does not mean contained. AkzoNobel's containment framing addresses lateral spread within its corporate network; it says nothing about the data that left the building. The 170GB exfiltration occurred before any encryption or detection. Containment of the attacker's network access does not undo the exfiltration, does not prevent publication, and does not eliminate the leverage Anubis holds. The breach's harm to clients, employees, and partners whose data appears in those 170,000 files is not addressed by network containment.

The Attack Technique

The specific initial access vector has not been disclosed by AkzoNobel or established independently. Anubis operates through affiliates who select their own initial access methods; meaning the technique varies by affiliate rather than being attributable to a single Anubis methodology.

Common Anubis affiliate initial access vectors based on observed campaigns:

Exploitation of internet-facing vulnerabilities: VPN appliances, RDP, and web application vulnerabilities are standard entry points for RaaS affiliates targeting manufacturing and industrial companies. AkzoNobel operates production facilities with operational technology (OT) networks that frequently have legacy IT/OT integration points exposing industrial systems to corporate networks.

Phishing and credential theft: Email-based phishing targeting employees at the specific US facility, with credentials used to establish initial access and move laterally to data stores.

Compromised third-party access: Manufacturing facilities commonly have vendor remote access for equipment maintenance, ERP systems, and quality management systems. Compromise of a vendor credential provides a low-noise entry path.

The attack's containment to a single site, if accurate, suggests either: the initial access vector was specific to that facility's systems and did not provide a path into AkzoNobel's broader corporate network, or the company's network segmentation between sites limited lateral movement. The former is more likely given that purpose-built RaaS affiliates typically escalate access aggressively when they can.

What Organizations Should Do

  1. AkzoNobel clients whose contracts may be in the leaked dataset: assess your exposure now. If you have a commercial relationship with AkzoNobel (particularly for industrial, marine, or protective coatings) assume your contract details, contact information, and pricing terms may be in the 170,000 files Anubis holds. Assess what sensitive information those contracts contain: pricing structures, supply chain terms, project specifications, or infrastructure details that you would not want publicly available or in a competitor's hands.

  2. Segment IT and OT networks in industrial and manufacturing facilities. AkzoNobel's single-site containment, whether achieved by design or by luck, highlights the value of network segmentation between facilities and between corporate IT and OT environments. A ransomware compromise that reaches one facility's systems should not automatically have a network path to corporate headquarters, ERP systems, or other sites. Audit east-west connectivity between facilities and implement explicit firewall rules limiting inter-site access to required business functions only.

  3. Treat passport copies and employee identity documents as the highest-priority data category for access control. The presence of passport copies in the exfiltrated data indicates HR or travel management systems were accessible from the compromised environment. Identity documents should be stored in systems with the strictest access controls; not in general-purpose file shares or email archives accessible from operational networks. Implement role-based access controls that limit passport and identity document access to HR systems with separate credentials and MFA.

  4. For Anubis targets: engage law enforcement and a specialized ransomware negotiation firm before making any payment decision. Anubis's permanent erasure capability means the decision calculus is different from standard ransomware. The FBI and CISA maintain active intelligence on Anubis affiliate operations; early engagement gives law enforcement the opportunity to provide intelligence on whether decryption keys have been obtained or whether infrastructure has been disrupted. A specialized ransomware negotiation firm can assess whether payment actually results in data deletion (historically unverifiable) and whether alternative options exist.

  5. Implement data loss prevention (DLP) monitoring for large-volume exfiltration from industrial sites. A 170GB exfiltration produces detectable network traffic patterns; particularly if it traverses corporate WAN links to reach the attacker's exfiltration infrastructure. DLP tools that monitor for large outbound data transfers, unusual protocols, or data moving to cloud storage or TOR exit nodes can detect exfiltration in progress, potentially before the ransomware payload is deployed and before the full dataset leaves the network.

  6. Audit third-party vendor remote access to all facility-level systems. Manufacturing facilities that use vendor-managed systems (ERP, quality management, SCADA, equipment maintenance platforms) should immediately audit who has remote access to those systems, confirm that access is time-limited and requires explicit authorization for each session, and review access logs for the past 90 days for anomalous activity. Vendor-facilitated access is a low-visibility entry point that evades standard perimeter monitoring.

Sources