South Korean industrial automation giant, SFA Engineering, has allegedly become the latest victim of a significant ransomware attack. The ransomware group known as ‘Underground’ has claimed responsibility, posting the company on its data leak site on August 15, 2025. SFA Engineering is a major player in the industry, boasting a revenue of $1.7 billion, and specializes in manufacturing equipment for various high-tech sectors. The attackers claim to have exfiltrated 2.3 TBytes of sensitive data from the company’s network.
The alleged breach appears to be extensive and highly sensitive, compromising not only SFA Engineering’s internal operations but also the intellectual property and project details of its major international clients. The leaked data reportedly includes everything from financial documents and contracts to trade secrets and confidential drawings. Personal information such as Korean and Chinese passports, driver’s licenses, and medical certifications are also said to be included in the leak, alongside data from the personal computers of the company’s President, CEO, and other managers. This incident could have severe repercussions, impacting major corporations like Micron, Samsung Display Company, SK Hynix, and Northvolt, whose project documentation was allegedly compromised.
The list of allegedly stolen data includes:
- NEO AI development files
- Korean and Chinese passports, driver’s licenses, medical certifications, and Visas
- Confidential inspection reports and design reviews
- Confidential and private drawings and models
- Trade secrets and intellectual property of other companies
- Finance documents, contracts, agreements, and NDAs
- Business presentations and business plans for 2025
- Project documentation for clients such as Micron, Samsung Display Company, BOE, Northvolt, and SK Hynix
- Patent applications
- Research and development for battery manufacturing
- Data from personal computers of the company President, CEO, and other managers
