Nissan's design divison claimed by Qilin gang in latest ransomware attack | #ransomware | #cybercrime

Nissan’s Creative Box cutting-edge design studio in Tokyo has been tapped by the Qilin ransomware group, potentially exposing the automaker’s top secret designs to its competitors.

The Qilin ransomware gang claims to have stolen 4TB of sensitive design data from Nissan’s Creative Box studio in Tokyo.
Hackers say the cache includes 3D models, internal reports, and design documents that could expose future projects to competitors.
The breach marks Nissan’s latest in a series of cyberattacks, following previous incidents in North America and Australia.

The Nissan Creative Box (Nissan CBI) design studio appeared on the cybercriminal gang’s victim blog sometime on Thursday. The hackers claim to have exfiltrated a total of 405,882 files from the design subsidiary, equal to 4,037.00 GB.

“The 4TB of data we copied includes 3D design data, reports, photos, videos, and various documents of Nissan automobiles,” the gang wrote on its victim blog.

“While we have no intention of releasing all of this data yet, if Nissan refuses to acknowledge or ignore, it will. At that point, everyone, including competitors, will have access to detailed data of all Nissan CBI projects,” it said.

Nissan CBI Qilin leak site — Qilin leak site. Image by Cybernews.

Initially opened in 1987 by Shozo Sato, a key figure in Nissan’s design history, Creative Box is considered a satellite studio within Nissan’s design infrastructure. The company is still located in the artsy Harajuku district of Tokyo, and is now wholly owned by Nissan.

“Creative Box is run as an independent offshoot where the company’s young designers are given a free rein to develop ideas and concepts for tomorrow,” the company states.

Often referred to as Nissan’s design think tank, the creative team is known for its work on developing the Nissan Nuvu concept car and other unconventional design projects.

Proprietary data at risk

Listed as one of the auto manufacturer’s “major subsidiaries and affiliates in Japan,” Creative Box, Inc., is responsible for the “exterior and interior design for automobiles,” according to the Nissan Motor Works’ website.

“They claim to have 4 TB of Nissan’s internal data,” said Mantas Sabeckis, Information Security Researcher at Cybernews, noting that as of Thursday, the ransomware actors had shared very little of the alleged stolen cache.

“They only shared four photos, which include their 3D pre-release models, an internal Excel document, and two internal photos,” Sabeckis said.

Nissan CBI Qilin samples — Qilin leak site. Image by Cybernews.

Still, the Cybernews researcher pointed out that although the data “is not as sensitive as PII, it’s still internal data that might be valuable for some limited parties.”

“It’s similar to stealing an invention from the inventor,” Sabackis added.

Nissan no stranger to cyberattacks

It’s not the first cyber breach to hit the automotive giant, whose global headquarters are located in Yokohama, Japan.

In May 2024, Nissan Motor Works revealed attackers had breached the carmaker’s North American subsidiary, Nissan North America (NNA), stealing the sensitive data of over 53,000 employees and some business information.

In March that same year, the Russian-linked Akira ransomware group claimed to have successfully infiltrated Nissan’s Australian and New Zealand businesses in December 2023.

The breach penetrated the company’s local IT servers and impacted about 100,000 Nissan customers and dealers, including current and former employees.

Nissan said 10,000 individual government-issued IDs, 4,000 Medicare cards, 7,500 driver’s licenses, 220 passports, and 1,300 tax file numbers had been exposed in that attack.

Furthermore, in 2022, Nissan reported a data breach at one of its third-party software service providers had also leaked the personal information of thousands of customers.

Qilin shows no mercy

With 86 victims listed over the past four weeks, Qilin is considered the second most active ransomware cartel in the last 12 months, claiming roughly 483 victims, according to the Cybernews Ransomlooker tool.

A whopping 401 of those attacks appear to have taken place since January 2025.

Qilin 2025 stats Ransomlooker Aug 2025 — Cybernews Ransomlooker tool. Image by Cybernews.

Notorious for targeting hospitals and the manufacturing sector, the Qilin gang – also known as Agenda – first appeared on the ransomware circuit in 2022, although its dark leak site claims it began operating in 2021.

Acting as a ransomware-as-a-service (RaaS) model, the cybercriminal outfit often uses double extortion tactics on its victims, demanding a ransom for decryption and then a second ransom to guarantee the stolen files will not be leaked on the dark web at a later date.

Earlier this month, Qilin claimed responsibility for the August 8th attack on the American pharmaceutical research conglomerate Inotiv, allegedly stealing 176 GB of internal company files.

Qilin Ransomlooker Aug 2025 — Cybernews Ransomlooker tool. Image by Cybernews.

The big pharma corporation, which does research testing on animals, was fined $35 million by the US Justice Department in 2024 for egregious animal welfare violations.

Past victims include global energy and manufacturing giant SK Group, headquartered in South Korea, US newspaper conglomerate Lee Enterprises, the Houston Symphony, Detroit’s PBS TV station, and top North American auto parts suppliers Yanfeng in China, and the prestigious Utsunomiya cancer treatment center in Japan.