NATO Contractor Indra Group Hit by Ransomware: Hackers Threaten Data Leak in 9 Days
A ransomware group has asserted responsibility for a cyberattack targeting a subsidiary of Indra Group, a major defense and technology firm with ties to NATO. The attackers, identified as The Gentlemen, have set a nine-day deadline for the company to initiate contact before allegedly stolen information is made public.
Indra’s Strategic Significance
Indra Group, based in Spain, is a leading provider of defense, aerospace, and technological solutions, serving governments, military organizations, and critical infrastructure operators globally. As the first Spanish entity to join NATO’s cyberdefence coalition, the company plays a pivotal role in securing defense systems and critical national assets.
Its services include identity management, cybersecurity frameworks, and infrastructure protection across energy, finance, telecommunications, and public administration sectors. The company’s operations span air traffic control systems, military simulation tools, and intelligent transportation networks, alongside a significant presence in satellite communications.
Following its 2025 acquisition of 90% of Spanish satellite operator Hispasat, Indra’s influence in space-based communication has grown substantially. With over 62,000 employees and €5 billion in annual revenue, the firm operates in more than 140 countries, making its compromise a potential threat to national security rather than a standard corporate breach.
The Gentlemen’s Operational Background
The Gentlemen, a recently emerged ransomware collective, traces its roots to ArmCorp, an affiliate of the Qilin ransomware program. The split from Qilin occurred in July 2025 after a dispute over unpaid commissions, as detailed in a public arbitration request filed by a threat actor known as “hastalamuerte.”
The group’s ransomware first appeared on VirusTotal on July 17, 2025, with its leak site URL embedded in the malware, suggesting premeditated separation from Qilin. The Gentlemen operates under a ransomware-as-a-service model, sharing profits with affiliates who deploy its tools. It has targeted 27 entities in Thailand, with additional victims in the United States, France, and Brazil.
The group’s methods and infrastructure indicate a structured approach to cyber extortion.
Implications and Next Steps
The discrepancy between the attackers’ claims and Indra’s internal assessment creates uncertainty about the breach’s scope. While the company reports an ongoing investigation and security review, the inclusion of its name on the Gentlemen’s leak site suggests at least partial data exfiltration.
For a firm deeply involved in European defense partnerships, including a 2026 memorandum with Italy’s Leonardo and cybersecurity collaborations with Telefónica, the incident carries significant reputational risks. The outcome hinges on Indra’s transparency and the validity of the data leak threat.
If the breach proves extensive, it could undermine trust in the company’s ability to safeguard critical systems. The next nine days will determine whether this incident remains isolated or escalates into a broader crisis for one of Europe’s key defense technology providers.
