Qilin Ransomware Group Claims Breach of SMC Corporation’s European Branch

The Qilin ransomware group has asserted responsibility for a cybersecurity breach targeting the European operations of SMC Corporation, a global leader in industrial automation and pneumatic technology.

According to a post from HackManac, the attackers claim to have exfiltrated 1.1 terabytes of data—comprising 552,000 files—including sensitive corporate documents, employee records, and proprietary technical schematics.

This incident marks the latest escalation in Qilin’s global campaign against critical infrastructure and manufacturing sectors.

Breach Details and Impact

SMC Corporation, a subsidiary of Japan-based SMC Corporation, confirmed an ongoing investigation into the breach after detecting unauthorized access to its European IT infrastructure.

The compromised data allegedly includes:

• Engineering designs for actuators, control valves, and IoT-enabled industrial components.
• Employee records containing personally identifiable information (PII), payroll data, and benefits documentation.
• Supply chain contracts with automotive and aerospace manufacturers across the EU.

The breach follows a December 2024 incident where SMC’s U.S. division suffered a data leak impacting 6,500 employees, exposing Social Security numbers, medical records, and bank details.

While SMC’s European subsidiary has not yet disclosed mitigation steps, the company’s 2025 Business Continuity Plan highlights investments in “disaster recovery systems to detect and counter cyberattacks”.

Qilin’s Modus Operandi

Qilin—a ransomware-as-a-service (RaaS) operation linked to Russian-speaking threat actors—has rapidly evolved since its emergence in 2022.

The group employs double extortion tactics, encrypting victim data while threatening to leak it unless ransom demands are met.

Technical analysis of prior attacks reveals:

• Initial Access: Exploitation of unpatched VPN vulnerabilities or stolen credentials lacking multi-factor authentication (MFA).
• Lateral Movement: Use of PowerShell scripts and compromised domain controllers to deploy Quasar RAT variants for credential harvesting.
• Data Exfiltration: Exfiltration via encrypted channels to bulletproof hosting providers, often followed by auctioning datasets on dark web forums.

Qilin’s recent victims include the UK’s National Health Service (NHS), Ukrainian government agencies, and U.S. municipal IT systems, with damages exceeding $35 million in one case.

Technical Implications for Industrial Cybersecurity

The breach underscores systemic vulnerabilities in operational technology (OT) environments:

1. Legacy Device Risks: SMC’s European branch employs PLCs (Programmable Logic Controllers) and IoT sensors vulnerable to FrostyGoop-style malware, which can manipulate industrial parameters.
2. Third-Party Exposure: Attacks on SMC’s supply chain mirror the 2024 Ticketmaster breach, where compromised AWS instances via a managed service provider led to 560 million records leaked.
3. Geopolitical Motivations: Qilin’s focus on EU-based industrial targets aligns with heightened activity by VOLTZITE and Sandworm threat groups, which target energy and defense sectors.

Response and Industry Reactions

SMC has engaged third-party forensic experts and notified EU data protection authorities under GDPR mandates.

The company is reportedly negotiating with Qilin to prevent data publication, though no ransom amount has been disclosed.

Cybersecurity firms like Dragos warn that paying ransoms funds further attacks, citing BAUXITE threat group’s recent botnet rebuild targeting energy grids.

Expert Analysis:

• “Qilin’s use of MeshAgent and custom RATs demonstrates advanced persistence mechanisms. Organizations must prioritize network segmentation and real-time traffic analysis,” said a Dragos spokesperson.
• The U.S. CISA has reiterated alerts about Salt Typhoon, a China-aligned group targeting telecoms, emphasizing shared TTPs (Tactics, Techniques, Procedures) with Qilin.

Broader Context

This breach occurs amid a 40% YoY increase in ransomware attacks on manufacturing, per IBM’s 2025 Threat Intelligence Index.

The EU Agency for Cybersecurity (ENISA) has proposed stricter penalties for critical infrastructure operators failing to adopt zero-trust architectures or patch known CVEs like CVE-2024-21917 (Rockwell Automation).

SMC’s stock fell 3.2% on the Tokyo Exchange following the disclosure, reflecting investor concerns over operational disruptions.

The company’s prior $35 million expenditure on breach remediation in 2024 highlights the escalating cost of cyber resilience in OT ecosystems.

Also Read:

Cactus Ransomware Group Lists Two New Victims on Dark Web Portal