French submarine builder’s documents leak: A case of hacking for economic espionage?

DCNS, a French submarine builder, has allegedly been hacked—potentially for economic espionage reasons—and 22,400 pages of “secret” documents pertaining to its Scorpene-class submarine have been leaked.

The Australian published redacted portions of the leaked documents, claiming to have seen thousands of pages outlining highly sensitive details about systems, sensors, specifications, tech manuals, stealth capabilities, antennae models, electromagnetic and infrared data, conditions under which the periscope can be used and more. The leaked documents reportedly detail “the entire secret combat capability of the six Scorpene-class submarines that French shipbuilder DCNS has designed for the Indian Navy.”

DCNS confirmed the “serious leak,” adding that an investigation has been launched.

The Financial Times reported the “breach sparked immediate concerns in India that regional rivals China and Pakistan could have gained access to the trove of information.” That “same class of vessel is also used by Malaysia, Chile and soon Brazil.”

Just this year, Australia ordered 12 submarines from DCNS. ZDNet reported that “the Australian government has said a leak of secret documents has ‘no bearing’ on” the “DCNS’ build of the country’s AU$50 billion submarine fleet.”

The story seems to be hopping all over the place. For example, in one article, Indian Defense Minister Manohar Parrikar is quoted by Reuters as saying, “I understand there has been a case of hacking. We will find out what has happened.”

“If it’s 22,400 pages, it’s a major stuff-up,” added an unnamed Australian political source. “It’s a huge deal. It allows them to understand everything about the submarines. What speeds it can do, how noisy it is, what speeds the mast can be raised at … all of that is just devastating.”

In a different article, DCNS told Reuters it “could not rule out that leaked documents on submarines built for India were part of an ‘economic war’ by competitors after the firm won a tender in Australia earlier this year.”

Yet another source, who wished to rename anonymous, later told Reuters, “It seems to be sensitive information but appears neither critical nor confidential.”

According to The Australian:

The data on the Scorpene was written in France for India in 2011 and is suspected of being removed from France in that same year by a former French Navy officer who was at that time a DCNS subcontractor.

The data is then believed to have been taken to a company in Southeast Asia, possibly to assist in a commercial venture for a regional navy. It was subsequently passed by a third party to a second company in the region before being sent on a data disk by regular mail to a company in Australia. It is unclear how widely the data has been shared in Asia or whether it has been obtained by foreign ­intelligence agencies.

Some of the leaked confidential documents talk about other possible sales to Chile and Russia. Those projects “have no link to India, which adds weight to the probability that the data files were removed from DCNS in France.”

Tod Beardsley, Senior Research Manager at Rapid7, said:

The leak of DCNS’s data is another proof point that it’s incredibly difficult to keep critical intellectual property safe and secure in today’s world of highly interconnected global manufacturing. Though most companies aren’t handling highly sensitive details regarding military capabilities, we all are operating in an aggressive environment populated by sophisticated attackers with skillsets and capabilities once reserved for international super spies.