August Threat Report: Qilin Attacks Inotiv & Nissan, NFCU Exposes 378TB

Casmer Labs is the internal threat research team within Cloud Storage Security. We monitor activity in cybersecurity, cloud security, and cloud data security. Our role is to document material incidents and explain where organizations are still exposed.

Qilin Ransomware Activity

In our Q2 threat report Casmer Labs noted continued growth in financially motivated data theft and extortion operations, including ransomware as a service. We also noted that data theft against cloud storage and unmanaged data replicas continues to climb.

Qilin is an active ransomware as a service group. By mid 2025 the group had begun positioning itself as a full service operator, including negotiations and legal advice for victims. Qilin has expanded activity as several competing groups slowed or fractured, including RansomHub, LockBit, Everest, and BlackLock. 

Two recent cases illustrate current impact

1. Inotiv Inc
   

   In August 2025 Inotiv Inc, a pharmaceutical and biotech research organization, filed with the Securities and Exchange Commission and disclosed a cyber event. Qilin claimed responsibility and stated that it had disrupted systems and exfiltrated roughly one hundred seventy six gigabytes of research data collected over multiple years. Public reporting has not yet confirmed the initial access vector. Recovery costs for prior Qilin incidents have been estimated in the low millions of dollars. 

2. Nissan Creative Box Inc
   

   On or around August 20 2025 the Qilin group listed Nissan Creative Box Inc, a Tokyo based Nissan Motor Co design subsidiary, on its leak site. Nissan later confirmed unauthorized access to a Creative Box system.

Qilin claims that it exfiltrated more than four terabytes of internal design information including the following

• Three dimensional vehicle models and styling data

   

• Design documents and internal reports

   

• Photos videos and concept imagery

   

• Financial records and planning material

Public reporting states that Qilin claims to have copied more than four hundred thousand files totaling about four terabytes. Nissan has not publicly disclosed full technical details of initial access. 

In both cases Qilin focused on stealing high value internal data and threatening exposure. This reflects an ongoing shift where ransomware groups prioritize data theft and extortion over pure encryption. That shift increases risk for intellectual property, regulated data, and sensitive internal files stored in cloud environments and file shares.

Recommended Ransomware Defenses

Casmer Labs recommends that organizations address both file borne and so called fileless ransomware activity. The following controls are widely recommended to reduce exposure and limit impact

1. Maintain a tested backup and recovery plan
   

   Keep reliable backups of critical systems and data. Store backups in protected locations with limited access. Scan backup images for known ransomware before restore.

2. Apply timely patching and maintenance
   

   Keep operating systems, virtual infrastructure, storage systems, and applications current. Address known vulnerabilities in externally facing services and remote access paths as quickly as possible. Many ransomware intrusions still begin with unpatched public facing services.

3. Train and prepare staff
   

   Provide regular training on phishing and social engineering. Focus on approval workflows, credential handling, and safe handling of unexpected file uploads and data sharing requests.

4. Automate detection and response
   

   Use automated activity monitoring to watch for unusual access or data movement. Alert on large or unexpected transfers, rapid encryption style modification, or bulk copying of sensitive data. Block or isolate when these behaviors appear.

5. Enforce least privilege
   

   Restrict who can access sensitive data and where that data can be copied. Eliminate shared administrative accounts and broad write access to storage that contains regulated or high value data.

Another Major Misconfiguration Incident

On September 2 and September 3 2025 multiple outlets reported that Navy Federal Credit Union, the worlds largest credit union, exposed backup data through a misconfigured and publicly accessible Amazon S3 bucket. Navy Federal Credit Union primarily serves United States military members, veterans, and their families. 

Investigators reported that an unsecured S3 bucket revealed internal backup files totaling roughly three hundred seventy eight gigabytes. The exposed data reportedly included

• Usernames and email addresses

   

• Hashed passwords

   

• Encryption keys

   

• Internal documents including financial reports operational playbooks and system information

   

• Configuration and performance data from internal systems and analytics platforms

Reports indicated that no plain text member account data such as full account balances or unredacted personally identifiable member data was identified in the exposed backup set. Navy Federal Credit Union stated that public access to the bucket was removed after discovery. 

Even when customer data is not directly exposed, incidents like this matter. Internal usernames, internal email formats, execution playbooks, and operational runbooks all increase the quality of social engineering and phishing. Attackers can use that information to impersonate internal staff, reference internal systems by name, and pressure targets with realistic sounding language.

This exposure follows other financial sector cases in 2025 where publicly accessible Amazon S3 buckets or other cloud object storage resources were left open and contained sensitive operational data. Misconfigured storage continues to be one of the most common causes of large scale cloud data exposure.

What Organizations Should Do Now

1. Restrict public access to cloud storage
   

   Enforce Amazon S3 Block Public Access at the account and bucket level unless there is a documented and temporary exception. Review bucket policies access control lists and identity and access management permissions that allow read access to any principal. Treat public read access to storage as an exception with an owner and an expiration, not a normal state.

2. Maintain a continuous inventory of cloud storage
   

   Keep a current inventory of all S3 buckets, EBS snapshots, EFS file systems, FSx file systems, Glacier vaults, and similar cloud storage across every account and region. Track owner business purpose data sensitivity last activity encryption status and whether that storage is externally exposed. This is basic data security posture management for cloud storage. Without this inventory, security teams often first learn about a bucket from an external report.

3. Classify sensitive data
   

   Identify which storage locations hold sensitive or regulated data such as financial records, customer PII, credentials, design files, or internal operational playbooks. Apply tighter access control, logging, and review expectations to those locations. Avoid placing regulated or high value data into temporary or partner transfer buckets without first hardening access.

4. Monitor activity in storage
   

   Capture object level access logs for sensitive storage locations. Alert on bulk listing, large transfers, unusual read activity from unfamiliar identities, and deletion or encryption style behavior. This is critical for detecting data exfiltration, insider misuse, and ransomware staging at the storage layer.

5. Continuously assess storage posture
   

   Continuously evaluate storage for public exposure, broad cross account access, missing encryption, missing logging, weak retention and immutability settings, and similar posture gaps. Detect configuration drift. For example a bucket that was private last week and public this week should trigger an alert. Extend these posture checks to vendor and partner controlled storage, not just internal accounts.

How DataDefender Helps

DataDefender by Cloud Storage Security focuses on activity monitoring and data security posture management for cloud storage. DataDefender is designed to help security teams and compliance teams govern data at the storage layer in Amazon Web Services.

DataDefender provides

1. Inventory and ownership
   

   DataDefender maintains a live inventory of storage resources across connected AWS accounts including Amazon S3, EBS snapshots, EFS file systems, FSx file systems, and Glacier vaults. The inventory includes owner business purpose exposure status encryption state recent activity and other context that is difficult to maintain manually. This shortens the time needed to answer where sensitive data is stored and who is responsible for it.

2. Classification of sensitive data
   

   DataDefender helps identify storage locations that contain sensitive or regulated data such as customer PII financial records intellectual property or internal operational documentation. This supports prioritization. High risk storage can be locked down first.

3. Activity monitoring
   

   DataDefender records which identities accessed which objects and when. It highlights unusual or bulk access such as large transfers or access from unfamiliar identities. This supports investigation of data exfiltration insider misuse or ransomware style staging behavior in cloud storage.

4. Continuous posture checks
   

   DataDefender continuously evaluates storage posture and checks for publicly accessible S3 buckets, overly permissive access control lists, broad cross account access, insecure snapshots, missing encryption, weak retention controls, and lack of immutability. The goal is to surface misconfigurations before they become public exposure events.

5. Audit evidence
   

   DataDefender links actor time and object level access. During an incident this helps answer when a bucket became exposed which identities accessed which objects in what volume and when access was removed. That evidence supports legal reporting, customer notifications, and regulatory response.

About Cloud Storage Security

Cloud Storage Security protects the storage layer in the cloud. DataDefender is a storage focused data security posture management and activity monitoring platform. It is designed to help organizations detect ransomware behavior, data exfiltration, and insider misuse inside cloud storage and to maintain continuous visibility and control over cloud storage security posture.

Cloud Storage Security also provides Antivirus for Cloud Storage. Antivirus for Cloud Storage is an in tenant multi engine malware scanning capability for object storage. It is designed to identify known malicious files including ransomware tooling before those files are widely distributed.

Sign up at signup.datadefender.io. 

Cloud Storage Security’s cloud antivirus solution is also available in AWS Marketplace with a 30-day free trial.