Full Report
What Happened:On 10 May 2026, the UK-based firm Arup Group was listed as a victim on the Tor data leak site of FulcrumSec. On their Tor data leak site, FulcrumSec stated that they have exposed 700GB of GitHub repos and 2TB of Azure and AWS S3 cloud, plus database backups.Other types of data the adversary claims to have stolen includes Neuron BMS client databases, Odoo ERP data, A66 landowner files, Apple code-signing certificates with plaintext passwords, a Google Cloud Platform (GCP) project with production payment gateway credentials, and the source code of ArupCompute and Oasys. The FulcrumSec operators also claimed to have spent over half a year analysing the data and went through “email correspondence” with the company before publishing the stolen data.On the victim post, FulcrumSec wrote a detailed incident breakdown. In it, they stated they gained initial access in September 2025 via a GitHub personal access token found hardcoded in a JavaScript file on a forgotten subdomain, which provided access to over 10,000 private GitHub repositories belonging to Arup Group.From there, they scanned the repositories and found additional hardcoded tokens, API keys, and passwords for AWS, Azure, and databases.The adversary stated that Arup detected the Github and Azure Storage intrusions approximately six weeks after they happened and rotated the credentials, but it was too late as the data had been exfiltrated. FulcrumSec also stated they pivoted into the AWS infrastructure using keys they had found belonging to Arup’s subsidiary Neuron.FulcrumSec allegedly waited until April 2026 to contact their victim, Arup Group, due to the time it took to analyse the vast amounts of stolen data.Impacted client organisations of Arup Group were also mentioned in the post, such as Disney and several other Hong Kong companies. The adversary reportedly uncovered Amazon data center seismic fragility data, British Petroleum (BP) site selection coordinates, and Queensferry Crossing internal documents as well.Critically for the UK, the breached data exposed up to 62 HS2 related GitHub repositories. This involved Euston Station pile design files, ground movement assessments, over 14,000 sensor monitoring records, 48 archaeological site GPS coordinates (including Jones Hill Wood, a sensitive site for environmentalists), as well as confidential documents.Analyst Comment:Arup Group is a large multinational architectural design and engineering firm based in London who has been involved in constructing the Wembley Football Stadium in London, the HS1 Channel Tunnel Rail Link network, and the Eden Project in Cornwall, among other significant international construction projects.Active since September 2025, FulcrumSec is a financially motivated data-theft-extortion group that specialises in rapid exfiltration of cloud-hosted databases by exploiting unrotated API keys and misconfigured cloud permissions.This attack was noteworthy due to its highly targeted nature. FulcrumSec claimed they had access to Arup Group’s data for seven months and they clearly invested significant time to analyse the documents and spent weeks negotiating over email. Plus, to find initial access they also would have had to spend time checking Arup’s domains and Internet-facing assets to eventually find a single leaked credential to exploit. These types of targeted intrusions often only happen to large companies. This is because for it to be worth the cybercriminal’s time, effort, and risk to their freedom they will want a large ransom payment that only rich companies can typically afford.FulcrumSec is an adversary worth monitoring due to the effort they put into their intrusions compared to other smash-and-grab ransomware campaigns. In October 2025, in a case documented by VX-Underground, FulcrumSec emailed detailed information about the breach they conducted with the aim of those details getting published and exert additional pressure on the victim.Interestingly, FulcrumSec said the ransom they demanded was less than 1% of Arup’s annual revenue and was less than how much Arup lost to the deepfake fraudsters. This is a reference to Arup reportedly lost over £20 million pounds in 2024 after one of their Hong Kong employees was duped into sending cash to cybercriminals using an AI-generated video call. The fact Arup became publicly known for falling victim to a large scam potentially contributed to the adversary’s decision to select and focus them for this attack.Defensive Takeaways:Asset Inventory and Shadow IT Audits: Identifying the outdated unused domains with hardcoded credentials is standard best practices. All organisations must have processes in place to catalog and retire systems to avoid incidents like this. Hardcoded Credentials in Code: They way FulcrumSec gained access demonstrates the importance of using secret environment variables and features like GitHub Secret Scanning.Implement Incident Response Procedures: Importantly, Arup detect the activity too late and it took them a staggering six weeks to rotate credentials (according to the adversary), which shows why having automated systems to check for unauthorised usage and reset tokens and all accounts is crucial to respond to such attacks.GitHub Activity Monitoring: The adversary claimed they were able to clone thousands of GitHub repositories containing sensitive data without being detected. These types of activities are available to monitor and detect in GitHub Audit Logs. It’s also important to have a plan in place when suspicious activities are detected.Third-Party Risk Management Programs: This incident also had some notable downstream impact. It shows why client organisations of another company’s services need to know what data and how much data is stored by third-parties for when such breaches occur. Knowing what’s potentially exposed will streamline the response to the incident.Deception Tech: Arup could have implemented a boobytraps for the adversary such as the use of CanaryTokens inside sensitive documents. As the adversary spent time analysing the Arup’s documents before contacting them, if they open a boobytrapped document, then the incident could been detected much earlier and the damages could have been reduced.Relevant Sources:https://x.com/darkwebinformer/status/2053281385582891437 https://www.ransomware.live/id/QXJ1cCBHcm91cEBmdWxjcnVtc2Vj https://en.wikipedia.org/wiki/Arup_Grouphttps://www.theguardian.com/technology/article/2024/may/17/uk-engineering-arup-deepfake-scam-hong-kong-ai-videoRelevant CTI Resources:https://www.ransomware.live/group/fulcrumsechttps://x.com/vxunderground/status/1975629199323853027 https://www.reddit.com/r/Scams/s/wfZ3Wp94mYhttps://www.bleepingcomputer.com/news/security/lexisnexis-confirms-data-breach-as-hackers-leak-stolen-files/
Analysis Summary
# Incident Report: Extortion and Mass Cloud Data Exfiltration of Arup Group
## Executive Summary
Arup Group, a major UK-headquartered engineering firm, suffered a massive data breach involving the theft of 2.7TB of data by the FulcrumSec threat group. The breach originated from a hardcoded GitHub token on a forgotten subdomain, leading to the compromise of private repositories and cloud infrastructure. Despite rotating credentials six weeks after the initial intrusion, the firm could not prevent the exfiltration of sensitive project data, including HS2 design files and client information.
## Incident Details
- **Discovery Date:** Approximately October/November 2025 (Initial detection of GitHub/Azure intrusion)
- **Incident Date:** September 2025 – May 2026
- **Affected Organization:** Arup Group
- **Sector:** Architectural Design and Engineering
- **Geography:** United Kingdom (Global operations, notably Hong Kong)
## Timeline of Events
### Initial Access
- **Date/Time:** September 2025
- **Vector:** Leaked Credentials / Shadow IT
- **Details:** FulcrumSec discovered a GitHub personal access token (PAT) hardcoded within a JavaScript file hosted on a "forgotten" (legacy/unused) Arup subdomain.
### Lateral Movement
- **Sep - Oct 2025:** Attackers used the initial token to access over 10,000 private GitHub repositories.
- **Scanning:** Automated scanning of these repositories revealed secondary hardcoded credentials, including API keys and passwords for AWS, Azure, and various databases.
- **Subsidiary Pivot:** Attackers used keys found in the main repository to pivot into the AWS infrastructure of "Neuron," an Arup subsidiary.
### Data Exfiltration/Impact
- **Volume:** 700GB of GitHub repositories and 2TB of Azure/AWS S3 cloud data and database backups.
- **Sensitive Content:** Source code (ArupCompute, Oasys), Apple code-signing certificates with plaintext passwords, GCP production payment gateway credentials, and 62 HS2-related repositories.
- **Third-Party Data:** Seismic fragility data (Amazon), site selection coordinates (BP), and internal documents for Queensferry Crossing and Disney.
### Detection & Response
- **Detection:** Arup detected the intrusion into GitHub and Azure approximately six weeks after it began (roughly late October 2025).
- **April 2026:** FulcrumSec contacted Arup to begin extortion negotiations after analyzing the data for several months.
- **10 May 2026:** FulcrumSec listed Arup Group on their Tor leak site after negotiations failed.
## Attack Methodology
- **Initial Access:** Exploitation of hardcoded credentials on an exposed, forgotten subdomain.
- **Persistence:** Utilization of valid, long-lived API keys and tokens found in source code.
- **Privilege Escalation:** Harvesting high-level credentials (secret keys/passwords) from configuration files and code.
- **Defense Evasion:** Use of legitimate credentials to mimic authorized user behavior in cloud environments.
- **Credential Access:** Secret scanning of internal repositories for AWS/Azure/GCP keys and DB passwords.
- **Discovery:** Cloud infrastructure discovery and "email correspondence" analysis over a seven-month period.
- **Lateral Movement:** Pivoting between parent and subsidiary (Neuron) cloud environments using discovered keys.
- **Collection:** Gathering data from Azure Storage, AWS S3 buckets, and GitHub.
- **Exfiltration:** Rapid exfiltration of cloud databases and source code.
- **Impact:** Financial extortion and public data leak.
## Impact Assessment
- **Financial:** Multi-million pound ransom demand (specified as <1% of annual revenue); high remediation costs.
- **Data Breach:** Massive loss of proprietary source code (ArupCompute) and sensitive national infrastructure designs (HS2).
- **Operational:** Potential disruption to current construction projects and need for total credential/certificate rollover (including Apple code-signing).
- **Reputational:** High-profile public listing on a leak site; exposure of high-profile client data (Disney, BP, Amazon).
## Indicators of Compromise
- **Network Indicators:** Unauthorized connections to Tor-based leak sites (defanged: hxxps[://]fulcrumsec[.]onion).
- **Behavioral Indicators:** Bulk cloning of thousands of GitHub repositories; unusual volume of data egress from S3/Azure Blob storage; logins from non-standard locations using administrative API keys.
## Response Actions
- **Containment:** Rotation of compromised GitHub and Azure credentials (six weeks post-intrusion).
- **Eradication:** Deactivation of the "forgotten" subdomain and associated JavaScript files.
- **Negotiation:** Company engaged in email correspondence with the threat actor for several weeks (failed).
## Lessons Learned
- **Credential Lifecycles:** Rotating credentials six weeks after an intrusion is insufficient to prevent data exfiltration once a cloud environment is compromised.
- **Secrets Management:** Hardcoding tokens in source code and leaving them on public-facing subdomains remains a critical vulnerability.
- **Shadow IT:** Old, unused assets are prime targets for reconnaissance.
## Recommendations
- **Automated Secret Scanning:** Implement tools like GitHub Secret Scanning to block commits containing plaintext keys.
- **Attack Surface Management:** Regularly audit and decommission unused subdomains and Internet-facing assets.
- **Enhanced Monitoring:** Enable and alert on GitHub Audit Logs for bulk repository cloning or "Export" actions.
- **Deception:** Deploy "CanaryTokens" or honey-tokens within sensitive folders and documents to provide early warning of data access.
- **Least Privilege:** Ensure subsidiary cloud environments are isolated and do not share administrative credentials with the parent organization.