A ransomware group known as The Gentlemen has claimed responsibility for a cyberattack against Indra Group, listing the Spanish multinational and NATO contractor as a victim on its dark web leak site. The gang’s post, published on June 30, states that Indra has approximately nine days from that date to begin communication before the allegedly stolen data is published, a common pressure tactic ransomware groups use to push victims toward negotiation or payment. So far, the exact nature and volume of the data involved remains unknown, and the claim has not been independently verified.
Indra’s own account of events, reported in Spanish outlet El Economista, strikes a notably more measured tone than the attackers’ framing. The company confirmed that one of its subsidiaries was targeted in a ransomware attack, but said it has guaranteed the security and continuity of its services. According to Indra, its Computer Security Incident Response Team activated internal protocols for analysis, verification, and security review immediately upon detection, and the company has since assessed that the attack was localised, with the risk of spread across the wider group’s subsidiaries ruled out. An investigation and a broader audit of security procedures and controls remain ongoing.
Why Indra Is a High-Value Target
The scale and sensitivity of Indra’s operations explain why an attack on the company carries weight well beyond a typical corporate breach. Headquartered in Spain, Indra is one of Europe’s largest defence, aerospace, and technology companies, supplying critical systems to governments, militaries, and operators of essential infrastructure worldwide. It holds the distinction of being the first Spanish company to join NATO’s cyberdefence coalition, and it separately supplies identity management and cybersecurity solutions protecting sectors including energy, finance, telecommunications, and public administration.
The company’s footprint extends into some of the most sensitive corners of critical infrastructure. Indra is a global supplier of air traffic management technology, developing both civil and military systems including surveillance radars, flight data processing platforms, and military simulation systems, and it also builds intelligent transportation systems used to manage roads, railways, and other mobility infrastructure. Its space business expanded significantly in 2025 after the company acquired approximately 90 per cent of Spanish satellite operator Hispasat, deepening its role in satellite communications. With more than 62,000 employees and annual revenues reaching €5 billion across operations in over 140 countries, Indra sits squarely among the companies whose compromise could carry consequences extending into national security territory, not merely commercial disruption.
Who Are The Gentlemen
The group behind the claim is a relatively new entrant to the ransomware landscape, though its origins trace back through an established criminal lineage. According to security firm Halcyon, The Gentlemen originated as ArmCorp, an affiliate cluster of roughly 20 members operating under the established Qilin ransomware programme. The split from Qilin was triggered by a payment dispute on July 2, 2025, when a threat actor using the handle “hastalamuerte” filed a public arbitration complaint on the RAMP underground forum, alleging Qilin owed the group roughly $48,000 in unpaid commission.
Notably, the first sample of Gentlemen ransomware appeared on VirusTotal on July 17, 2025, five days before that public dispute was filed, with the group’s leak site URL already hardcoded into the binary. This timeline indicates the split from Qilin was premeditated and already underway before the dispute became public. The group operates on a ransomware-as-a-service model, splitting revenue with affiliates who deploy its infrastructure against victims, and has already built a substantial track record, with Thailand its most targeted country to date at 27 victims, followed by the United States, France, and Brazil.
What Happens Next
The gap between the attackers’ framing and Indra’s own account is the central tension now shaping how this incident will be read. If the breach was genuinely as minimal and contained as Indra describes, the nine-day countdown may prove to be a pressure tactic with limited underlying substance. But ransomware groups typically do not name organisations on leak sites without possessing at least some verified stolen material, and Indra’s stated ongoing investigation and security audit suggest the company itself has not yet reached full certainty about the scope of what may have been accessed.
For a company whose business is built substantially on providing cyberdefence capabilities to European governments and NATO members, and which has been actively expanding its defence-sector partnerships, including a February 2026 memorandum of understanding with Italy’s Leonardo and reported discussions with Telefónica on a cybersecurity consortium, the reputational stakes of this incident extend well beyond the immediate technical breach. How Indra communicates over the coming nine days, and whether the promised data leak materialises, will likely determine whether this becomes a contained incident or a significant test of confidence in one of Europe’s most trusted defence technology suppliers.
