APT Iran Announces $600 Million Sale of 375 TB Alleged Lockheed Martin Data

*TL;DR – APT Iran says it is handling a $600 million dark‑web sale of 375 TB of alleged Lockheed Martin data. The claim remains unverified and has prompted heightened scrutiny from security teams.*

Context A dark‑web marketplace called Threat Market listed 375 TB of purported Lockheed Martin information with a $600 million price tag. The listing appeared in early March and quickly attracted attention from defense and cybersecurity analysts.

Key Facts - On March 26, the Iran‑linked group APT Iran contacted Threat Market and was granted control over the sale. The group publicly announced its role, stating it is responsible for the transaction. - The advertised data set includes internal project files, engineering schematics, and personnel records, though no independent sample has been released for verification. - Lockheed Martin has not confirmed a breach, nor have any law‑enforcement agencies validated the authenticity of the data. - A separate actor, Handala Hack Team, claimed possession of personal data on Lockheed employees and issued threats, but no link to the Threat Market listing has been established.

What It Means If the data proves authentic, exposure could compromise classified defense projects, reveal supply‑chain vulnerabilities, and endanger personnel safety. Even without confirmation, the high‑value listing may be a deception tactic designed to inflate ransom expectations or to test market demand for defense‑sector intel.

The incident underscores the growing monetization of state‑linked cyber‑espionage. Threat Market’s willingness to host a $600 million transaction signals that cybercriminals are increasingly treating stolen intellectual property as a commodity comparable to traditional financial fraud.

Mitigations – What Defenders Should Do 1. Assume breach until proven otherwise – Conduct immediate internal audits of access logs for any anomalous activity involving privileged accounts or external connections. 2. Apply relevant patches – Verify that all systems handling defense‑related data run the latest security updates, especially for known vulnerabilities such as CVE‑2023‑23397 (Windows Print Spooler) and CVE‑2024‑2135 (Linux kernel). 3. Monitor for ATT&CK techniques – Deploy detection rules for T1078 (Valid Accounts) and T1566.002 (Phishing: Spearphishing Link), tactics frequently used by APT Iran. 4. Encrypt data at rest and in transit – Use strong encryption (AES‑256) for all sensitive files to limit the value of any exfiltrated material. 5. Strengthen credential hygiene – Enforce multi‑factor authentication for all privileged users and rotate service account passwords regularly. 6. Engage threat‑intel feeds – Subscribe to reputable intel sources that track APT Iran activity to receive timely indicators of compromise (IOCs) such as IP addresses, hash values, and command‑and‑control domains. 7. Prepare incident response – Update playbooks to include scenarios involving large‑scale data exfiltration and coordinate with federal agencies if a breach is confirmed.

Looking Ahead Watch for verification of the data sample, any official statements from Lockheed Martin, and law‑enforcement actions against Threat Market. Continued monitoring of APT Iran’s communications will indicate whether the sale proceeds or serves as a diversion.