A subsidiary of Indra Group, the Spanish defense and technology contractor tied to NATO's cyberdefence coalition, has been claimed as a victim by the ransomware crew known as The Gentlemen. The attackers have listed the company on their leak site and set a nine-day countdown for Indra to make contact before allegedly stolen data is published. Indra, which employs more than 62,000 people, generates roughly 5 billion euros in annual revenue, and operates in over 140 countries, says an investigation and security review are underway.
What Happened
The Gentlemen publicly asserted responsibility for a cyberattack against an Indra Group subsidiary and added the company's name to their extortion portal. Rather than demanding an immediate payment, the group issued a nine-day ultimatum for the victim to initiate contact, a common double-extortion tactic designed to pressure negotiations before a public data dump.
There is a gap between the attackers' claims and Indra's internal assessment, leaving the true scope of the breach uncertain. Indra reports an ongoing investigation, but the presence of its name on the leak site strongly suggests that at least some data was exfiltrated before the group went public.
What Was Taken
The specific data set, volume, and sensitivity have not been confirmed. The attackers claim to hold stolen information and have threatened to release it if the deadline passes without contact.
Given Indra's role in defense, aerospace, satellite communications, air traffic control, military simulation, and critical infrastructure protection across energy, finance, telecommunications, and public administration, any exfiltrated material could carry sensitivity well beyond a typical corporate breach. The 2025 acquisition of a 90 percent stake in satellite operator Hispasat further widens the potential blast radius into space-based communications. Until Indra confirms details, defenders should treat the claim as credible and plan for the possibility that operational or client-linked data is involved.
Why It Matters
Indra is not a standard corporate target. As the first Spanish entity to join NATO's cyberdefence coalition, it sits inside sensitive European defense partnerships and supplies identity management, cybersecurity frameworks, and infrastructure protection to governments and militaries.
The company's active collaborations raise the stakes further, including a 2026 memorandum with Italy's Leonardo and cybersecurity work alongside Telefonica. A confirmed leak would carry serious reputational consequences and could expose supply-chain relationships that adversaries could exploit against downstream partners. For a contractor this deeply embedded in national security programs, a breach is a potential strategic risk, not merely an IT incident.
The Attack Technique
The initial access vector, dwell time, and deployment method for this specific intrusion have not been disclosed. What is known is the actor behind it.
The Gentlemen is a recently emerged group that traces its lineage to ArmCorp, an affiliate of the Qilin ransomware program. The split from Qilin occurred in July 2025 after a dispute over unpaid commissions, documented in a public arbitration request filed by a threat actor using the handle "hastalamuerte." The group's ransomware first surfaced on VirusTotal on July 17, 2025, with its leak site URL already embedded in the malware, indicating the separation from Qilin was planned in advance. The Gentlemen runs a ransomware-as-a-service model, sharing profits with affiliates who deploy its tooling, and has already claimed 27 victims in Thailand along with targets in the United States, France, and Brazil.
What Organizations Should Do
- Hunt for Qilin and Gentlemen indicators. Because The Gentlemen inherited tooling and tradecraft from a Qilin affiliate, pull the latest indicators of compromise for both families and sweep endpoints, edge devices, and logs for matches.
- Harden and monitor external access. Enforce phishing-resistant multi-factor authentication on VPNs, remote desktop, and identity portals, and prioritize patching of internet-facing systems that RaaS affiliates favor for initial access.
- Segment and protect backups. Maintain offline, immutable backups and verify restoration procedures so a double-extortion actor cannot cripple recovery even if data is exfiltrated.
- Watch for large outbound data transfers. Tune data loss prevention and network monitoring to flag anomalous exfiltration, since the extortion model depends on staging and moving data before encryption.
- Review third-party and supply-chain exposure. Partners and clients of defense contractors like Indra should assess shared access, credentials, and integrations that could be abused if contractor data leaks.
- Prepare an extortion response plan. Establish legal, communications, and law-enforcement contacts in advance so a nine-day deadline does not force rushed decisions.
Sources: NATO Contractor Indra Group Hit by Ransomware: Hackers Threaten Data Leak in 9 Days