Cybersecurity

Key Takeaways

  • Confirmed Intrusion, Disputed Scope: TKMS/Atlas Elektronik confirmed a breach isolated to a North American subsidiary supporting U.S. military work, stating no security-relevant or sensitive military data was compromised. The attacker’s claim of 1TB+ of exfiltrated data remains unverified by independent forensics or government sources.
  • High-Value Defense Target: TKMS builds submarines and surface vessels for NATO navies, and Atlas Elektronik specializes in sonar and combat systems — raising the stakes if engineering or technical data proves to be genuinely exposed, though this has not been confirmed.
  • Established, Fast-Scaling Threat Actor: The Gentlemen is a financially motivated RaaS operation that has scaled to roughly 330–580 claimed victims across 70+ countries depending on tracker and date, making it the second-most-active ransomware group by victim count in 2026, behind Qilin.
  • Track Record of Disputed Claims: This group has previously advertised victims whose breach could not be independently confirmed, reinforcing the need to treat leak-site claims as unverified pending forensic review.

Incident Overview

The Gentlemen listed TKMS/Atlas Elektronik on its dark web leak site on June 28, 2026, claiming over 1TB of exfiltrated data. TKMS confirmed an intrusion but attributed it to an isolated North American subsidiary supporting U.S. military programs, stating the affected IT environment was segmented from the parent group and that no security-relevant or sensitive military information was compromised. As of this writing, no government, NATO body, or independent forensic firm has publicly confirmed the presence of classified or military-sensitive material in the leaked dataset.

Dataminr alert regarding the Gentlemen ransomware group claiming responsibility of the breach
Dataminr alert regarding the Gentlemen ransomware group claiming responsibility of the breach

However, on July 13th, the threat actors posted two new screenshots. These appear to depict legitimate technical documentation, or well-faked documentation, characterized by the following:

Image 1 (Scout MkII PCB Layout): The product exists—it is a side-scan sonar system manufactured by Marine Sonic Technology. However, this specific technical engineering drawing of the internal circuitry is marked explicitly as Proprietary and Confidential.

The Gentlemen ransomware group shares sample screenshots showing naval engineering documents and schematics allegedly stolen from Atlas Elektronik and TKMS. Source: Dataminr
The Gentlemen ransomware group shares sample screenshots showing naval engineering documents and schematics allegedly stolen from Atlas Elektronik and TKMS. Source: Dataminr

Image 2 (SeaFox Drone Technical Manual): The SeaFox I and SeaFox T are legitimate mine-disposal uncrewed underwater vehicles (UUVs) manufactured by Atlas Elektronik. While basic technical specifications and system overviews can be found on defense tracking sites, the complete, page-by-page technical operating manuals (as the image appears to be from) are marked Company Confidential and are strictly restricted.

The Gentlemen ransomware group shares sample screenshots showing naval engineering documents and schematics allegedly stolen from Atlas Elektronik and TKMS. Source: Dataminr
The Gentlemen ransomware group shares sample screenshots showing naval engineering documents and schematics allegedly stolen from Atlas Elektronik and TKMS. Source: Dataminr

Technical Details

The Gentlemen’s primary and best-documented initial-access vector is exploitation of CVE-2024-55591, a critical authentication bypass in Fortinet FortiOS/FortiProxy management interfaces (CVSS 9.8); researchers have identified an operator-maintained inventory of roughly 14,700 already-compromised FortiGate devices and nearly 1,000 validated brute-forced FortiGate VPN credentials. Leaked internal communications show the group actively evaluating two additional vulnerabilities as supplementary tooling: CVE-2025-32433, an unauthenticated RCE flaw in Erlang/OTP SSH server implementations (affecting Cisco and other vendor products that bundle Erlang/OTP), used for initial access; and CVE-2025-33073, a Windows SMB client vulnerability that allows an attacker to coerce NTLM reflection and escalate to SYSTEM-level privileges, used post-compromise for privilege escalation and lateral movement.
These two are documented as active operational interest in leaked chats rather than confirmed primary attack vectors. 

Where CVEs are unavailable, affiliates rely on brute-forced VPN/webmail credentials sourced from infostealer logs and public breach databases. The group’s encryptor is a cross-platform Go/C-based tool (Windows, Linux, NAS, BSD, ESXi) with self-propagation, EDR-evasion, and anti-forensic capabilities, deployed via a double-extortion model. No technical details specific to the TKMS/Atlas Elektronik intrusion vector have been publicly confirmed; the above reflects the group’s general TTPs, not verified specifics of this incident.

Threat Actor & Motivation

The Gentlemen emerged in mid-2025 as a splinter of the Qilin RaaS operation, founded by a Russian-speaking actor known by aliases including “hastalamuerte” and “zeta88,” following a July 2025 dispute over an alleged $48,000 in unpaid affiliate commission. The group operates a 90/10 affiliate-favorable revenue split — well above the industry-standard 70–80% — which has driven unusually fast affiliate recruitment and scaling. It is assessed by the bulk of vendor reporting  as a financially motivated criminal RaaS operation, not a state-directed actor.

Immediate Actions & Recommendations

  • Patch the confirmed primary vector: Prioritize patching CVE-2024-55591 on all internet-facing FortiOS/FortiProxy devices; treat any instance left unpatched during the exposure window as potentially already compromised, given the group’s large pre-built device inventory.
  • Patch secondary vectors: Confirm patch status for CVE-2025-32433 (Erlang/OTP SSH, including Cisco products bundling the affected library) and CVE-2025-33073 (Windows SMB client); enforce SMB signing domain-wide to close the reflection path used by the latter.
  • Review third-party/partner access paths: A documented technique in prior Gentlemen intrusions; audit and restrict lateral access through partner and supply-chain connections.
  • For organizations with a TKMS/Atlas Elektronik business relationship: Rotate credentials and review access logs for shared accounts/systems; increase vigilance against phishing leveraging exposed contract, personnel, or vendor-relationship data; confirm directly with TKMS/Atlas Elektronik whether your organization’s data was involved rather than relying on the leak site.
  • Monitor for developments: Watch for secondary leak-site updates or sample-data releases from this listing, which would materially change the confidence level of this assessment.

Read the 2026 Cyber Threat Landscape Report

In a time of increasing cyber threats and AI-driven attacks, security teams need actionable insights to drive a preemptive cyberdefense strategy. This report analyzes global risks and offers the intelligence needed for a proactive cybersecurity strategy.

Download Report
Author
Jeanette Miller-Osborn, Field Cyber Intelligence Officer
July 14, 2026
  • Cybersecurity
  • Cyber Risk
  • Intel Brief