UK Cybercrime Journal: Arup Group Breached by FulcrumSec

-

 


What Happened:

  • On 10 May 2026, the UK-based firm Arup Group was listed as a victim on the Tor data leak site of FulcrumSec. 
  • On their Tor data leak site, FulcrumSec stated that they have exposed 700GB of GitHub repos and 2TB of Azure and AWS S3 cloud, plus database backups.
  • Other types of data the adversary claims to have stolen includes Neuron BMS client databases, Odoo ERP data, A66 landowner files, Apple code-signing certificates with plaintext passwords, a Google Cloud Platform (GCP) project with production payment gateway credentials, and the source code of ArupCompute and Oasys. 
  • The FulcrumSec operators also claimed to have spent over half a year analysing the data and went through “email correspondence” with the company before publishing the stolen data.
  • On the victim post, FulcrumSec wrote a detailed incident breakdown. In it, they stated they gained initial access in September 2025 via a GitHub personal access token found hardcoded in a JavaScript file on a forgotten subdomain, which provided access to over 10,000 private GitHub repositories belonging to Arup Group.
  • From there, they scanned the repositories and found additional hardcoded tokens, API keys, and passwords for AWS, Azure, and databases.
  • The adversary stated that Arup detected the Github and Azure Storage intrusions approximately six weeks after they happened and rotated the credentials, but it was too late as the data had been exfiltrated. 
  • FulcrumSec also stated they pivoted into the AWS infrastructure using keys they had found belonging to Arup’s subsidiary Neuron.
  • FulcrumSec allegedly waited until April 2026 to contact their victim, Arup Group, due to the time it took to analyse the vast amounts of stolen data.
  • Impacted client organisations of Arup Group were also mentioned in the post, such as Disney and several other Hong Kong companies. The adversary reportedly uncovered Amazon data center seismic fragility data, British Petroleum (BP) site selection coordinates, and Queensferry Crossing internal documents as well.
  • Critically for the UK, the breached data exposed up to 62 HS2 related GitHub repositories. This involved Euston Station pile design files, ground movement assessments, over 14,000 sensor monitoring records, 48 archaeological site GPS coordinates (including Jones Hill Wood, a sensitive site for environmentalists), as well as confidential documents.

Analyst Comment:

Arup Group is a large multinational architectural design and engineering firm based in London who has been involved in constructing the Wembley Football Stadium in London, the HS1 Channel Tunnel Rail Link network, and the Eden Project in Cornwall, among other significant international construction projects.


Active since September 2025, FulcrumSec is a financially motivated data-theft-extortion group that specialises in rapid exfiltration of cloud-hosted databases by exploiting unrotated API keys and misconfigured cloud permissions.


This attack was noteworthy due to its highly targeted nature. FulcrumSec claimed they had access to Arup Group’s data for seven months and they clearly invested significant time to analyse the documents and spent weeks negotiating over email. Plus, to find initial access they also would have had to spend time checking Arup’s domains and Internet-facing assets to eventually find a single leaked credential to exploit. These types of targeted intrusions often only happen to large companies. This is because for it to be worth the cybercriminal’s time, effort, and risk to their freedom they will want a large ransom payment that only rich companies can typically afford.


FulcrumSec is an adversary worth monitoring due to the effort they put into their intrusions compared to other smash-and-grab ransomware campaigns. In October 2025, in a case documented by VX-Underground, FulcrumSec emailed detailed information about the breach they conducted with the aim of those details getting published and exert additional pressure on the victim.


Interestingly, FulcrumSec said the ransom they demanded was less than 1% of Arup’s annual revenue and was less than how much Arup lost to the deepfake fraudsters. This is a reference to Arup reportedly lost over £20 million pounds in 2024 after one of their Hong Kong employees was duped into sending cash to cybercriminals using an AI-generated video call. The fact Arup became publicly known for falling victim to a large scam potentially contributed to the adversary’s decision to select and focus them for this attack.


Defensive Takeaways:

  • Asset Inventory and Shadow IT Audits: Identifying the outdated unused domains with hardcoded credentials is standard best practices. All organisations must have processes in place to catalog and retire systems to avoid incidents like this. 
  • Hardcoded Credentials in Code: They way FulcrumSec gained access demonstrates the importance of using secret environment variables and features like GitHub Secret Scanning.
  • Implement Incident Response Procedures: Importantly, Arup detect the activity too late and it took them a staggering six weeks to rotate credentials (according to the adversary), which shows why having automated systems to check for unauthorised usage and reset tokens and all accounts is crucial to respond to such attacks.
  • GitHub Activity Monitoring: The adversary claimed they were able to clone thousands of GitHub repositories containing sensitive data without being detected. These types of activities are available to monitor and detect in GitHub Audit Logs. It’s also important to have a plan in place when suspicious activities are detected.
  • Third-Party Risk Management Programs: This incident also had some notable downstream impact. It shows why client organisations of another company’s services need to know what data and how much data is stored by third-parties for when such breaches occur. Knowing what’s potentially exposed will streamline the response to the incident.
  • Deception Tech: Arup could have implemented a boobytraps for the adversary such as the use of CanaryTokens inside sensitive documents. As the adversary spent time analysing the Arup’s documents before contacting them, if they open a boobytrapped document, then the incident could been detected much earlier and the damages could have been reduced.


Relevant Sources:

  1. https://x.com/darkwebinformer/status/2053281385582891437 
  2. https://www.ransomware.live/id/QXJ1cCBHcm91cEBmdWxjcnVtc2Vj 
  3. https://en.wikipedia.org/wiki/Arup_Group
  4. https://www.theguardian.com/technology/article/2024/may/17/uk-engineering-arup-deepfake-scam-hong-kong-ai-video


Relevant CTI Resources:

  1. https://www.ransomware.live/group/fulcrumsec
  2. https://x.com/vxunderground/status/1975629199323853027 
  3. https://www.reddit.com/r/Scams/s/wfZ3Wp94mY
  4. https://www.bleepingcomputer.com/news/security/lexisnexis-confirms-data-breach-as-hackers-leak-stolen-files/

Popular posts from this blog

Ransomware Tool Matrix Project Updates: May 2025

-
Image
Introduction This blog is a summary and analysis of recent additions to the Ransomware Tool Matrix (RTM) as well as the Ransomware Vulnerability Matrix (RVM) .  Feedback from the infosec community about these projects has been overwhelmingly positive and many researchers have contacted me to tell me how helpful they have found these to be.  It makes me happy to hear how doing something in my spare time can help stop ransomware attacks and cybercriminals from exploiting our society’s systems. And it is for that reason, I shall continue to maintain these projects as long as ransomware is still around.  For anyone new to these projects, please read the descriptions on GitHub or feel free to watch my talk explaining the project at BSides London . Background on the current ransomware ecosystem as of May 2025 Following the impact of Operation Cronos against LockBit and the exit scam by ALPHV/BlackCat, the ransomware ecosystem has been even more unstable than usual.  The e...
Read more

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

-
Image
Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail.  In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-sprea...
Read more

Lessons from the BlackBasta Ransomware Attack on Capita

-
Image
Introduction When a company that manages data for millions of UK citizens falls victim to ransomware, the whole industry should pay attention to it. On 15 October 2025, the UK Information Commissioner’s Office (ICO) published a detailed 136 page report about the Capita breach.  The aim of this blog is to extract actionable cybersecurity lessons from the ICO’s findings as well as open source reports surrounding the breach from a cyber threat intelligence (CTI) analyst’s perspective to help SOC and CERT teams, and CISOs understand what happened and how to avoid the mistakes made by others. BLUF Incident Impact Summary: Capita was attacked by BlackBasta ransomware in March 2023 Over six million individual’s records were exfiltrated from Capita’s systems A £14 million fine was issued to Capita by the ICO Capita said in May 2023, the incident cost up to £20 million to recover Important context about Capita The Capita Group is a business process outsourcing (BPO) and professional servic...
Read more