Hackers Claim Theft of 1TB of Data from France’s Naval Group, Including Submarine Combat System Code

On July 22, a hacker group identifying itself as “Neferpitou” claimed responsibility for breaching the systems of Naval Group, France’s largest naval defense shipbuilder, stealing over 1 terabyte of sensitive data. The cyberattack—allegedly one of the most serious against a European defense contractor—reportedly exposed classified submarine combat system source code, internal communications, and technical documents dating from 2019 to 2024.

To substantiate their claim, the hackers released a 13GB sample of the stolen data, demanding that Naval Group contact them within 72 hours, or they would leak the full cache. When no response was made public, the group reportedly published the entire dataset on July 26.

What Was Stolen

According to leaked file metadata and cybersecurity analysts who reviewed the sample, the stolen data appears to include:

• Source code for submarine combat management systems (CMS) used on platforms such as France’s nuclear attack submarines

• Technical documents marked “Restricted Distribution” and “Special France”, covering internal systems between 2006 and 2024, with a focus on the last five years

• Detailed network maps of Naval Group's internal infrastructure

• Developer virtual machines and CMS simulation environments

• Confidential HCL Notes communications and inter-office messaging files

• Operational manuals and sensor integration schematics for Naval platforms

One of the most revealing files is reportedly a video recording of a submarine monitoring interface, though it is dated 2003, suggesting the breach may also include legacy systems or archived materials.

Cybersecurity researchers from Bitdefender and Cybernews who reviewed the leaked data noted no obvious signs of fabrication, and internal file structures appear consistent with known Naval Group software architectures.

Naval Group Response

Naval Group acknowledged the allegations in a public statement, stating that:

“As of now, no intrusion into our IT environments has been confirmed. We are working with French authorities and cybersecurity experts to assess the situation thoroughly.”

The company also described the leak as a “reputational attack” amid increased international competition, especially with ongoing tenders in Asia, the Middle East, and Europe.

Despite mounting evidence suggesting the authenticity of the breach, no ransom was publicly demanded, and the company stated it would not enter into contact with the attackers, in line with French government policy.

Who Are the Hackers?

The group Neferpitou, which first appeared in cybercrime forums earlier this year, has not previously been linked to any high-profile hacks. The structure of the leak—release of a partial sample, countdown threats, followed by full publication—matches tactics used by data extortion groups, though the lack of financial demands suggests possible geopolitical motivations.

Cyber intelligence analysts believe the attack may be a state-sponsored operation or a proxy effort targeting France’s defense capabilities, especially as Naval Group plays a central role in Europe’s military-industrial base.

National Security Ramifications

If verified, the leak could have far-reaching implications:

• Combat systems source code could be reverse-engineered to identify and exploit vulnerabilities in France’s submarine fleet and possibly export versions like the Scorpene-class submarines used by India, Brazil, and Malaysia

• Exposure of network topology and infrastructure schematics might allow adversarial actors to map, mimic, or attack Naval Group’s digital supply chain

• Access to developer environments and virtual machines could offer attackers insights into simulation and test configurations used in real-time platform development

Cyber defense specialists warn that the compromise of even non-operational systems can result in devastating operational impacts over time.

Ongoing Investigation

The incident is now under review by:

• ANSSI (French Cybersecurity Agency)

• France’s Ministry of Armed Forces

• Europol’s European Cybercrime Centre (EC3)

• NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCOE)

Naval Group and its shareholders, including Thales Group, are also likely to launch a sweeping internal audit of all source code repositories, access logs, and credential records.

Historical Context

Naval Group has previously been targeted. In 2016, a similar leak exposed 22,000 pages of documents related to the Indian Navy’s Scorpene-class submarines. That breach led to an overhaul of cybersecurity policies and operational secrecy across several programs.

Given that France is currently bidding for major submarine and frigate deals in multiple countries, analysts suspect the timing of the July 2025 hack may not be coincidental.

What Comes Next?

Security experts caution that Naval Group’s clients, particularly in Asia and the Middle East, may demand additional assurances or contract renegotiations. The leaked data—if confirmed as genuine—could also result in broader reviews of Europe’s defense sector cybersecurity posture.

The French government has yet to make a formal statement on the potential scope of the breach. For now, defense insiders say this case may serve as a pivotal moment in how the global defense industry treats cyber resilience, particularly in protecting sensitive platform design and combat system infrastructure.