Executive Summary

On November 30, 2025, a severe supply chain data breach came to light involving Cooper Steel Fabricators, a U.S.-based industrial contractor. A threat actor has listed a 330 GB data set for sale, allegedly exfiltrated from the company's File Transfer Protocol (FTP) server. The data, offered for $28,500, reportedly contains a wealth of proprietary information, most notably the complete architectural blueprints and 3D models for an Amazon data center and a sorting facility. Data related to projects for other major clients, including Walmart, is also said to be part of the leak. This incident is a stark illustration of how a compromise at a single third-party vendor can expose highly sensitive operational and security details of some of the world's largest companies, posing a significant physical and cybersecurity risk.

Threat Overview

The breach appears to be a classic case of targeting a 'soft' link in a major corporation's supply chain. Cooper Steel, as a contractor for critical construction projects, held highly sensitive data belonging to its clients.

• Victim: Cooper Steel Fabricators, a U.S. structural steel contractor.
• Attack Vector: The threat actor claims the data was exfiltrated from an insecure company FTP server. Insecure FTP servers are a common attack vector, often lacking strong authentication, encryption, and proper access controls, making them a prime target for T1190 - Exploit Public-Facing Application.
• Exfiltrated Data: The actor is selling a 330 GB archive containing what is described as a "complete mirror" of the server. This includes:
  • Blueprints and structural specifications for an Amazon data center in Ohio.
  • Plans for an Amazon sorting facility in Massachusetts.
  • 3D models and drawings for Walmart distribution centers.
  • Information on projects for other clients like Publix.
• Monetization: The data is being sold on a dark web forum for $28,500 in cryptocurrency, indicating a financially motivated threat actor.

Impact Assessment

The exposure of detailed data center blueprints is a security incident of the highest order, with potential impacts far beyond financial loss.

• Physical Security Risk: The blueprints could provide adversaries with detailed knowledge of a data center's layout, including structural weaknesses, access points, locations of critical equipment (servers, cooling, power), and security measures. This information is invaluable for planning physical attacks, sabotage, or corporate espionage.
• Cybersecurity Risk: While the blueprints are physical, they can inform cyberattacks. Understanding the physical layout of server racks and network cabling can help an insider or a sophisticated attacker target specific systems more effectively.
• Supply Chain Ramifications: For Amazon and Walmart, this breach severely undermines the security of their supply chain. It will force a review of vendor security policies and could lead to costly legal and contractual disputes with Cooper Steel.
• Competitive Disadvantage: Competitors could use the leaked designs and structural information to gain insights into Amazon's and Walmart's highly optimized and secretive logistics and data infrastructure operations.
• Brand Damage: The incident damages the reputation of Cooper Steel as a trusted partner and raises questions for its clients about the security of their most sensitive projects.

Amazon's data center infrastructure is a core component of its global cloud services (AWS). The public exposure of its design represents a systemic risk not just to Amazon, but to the thousands of companies that rely on AWS for their operations.

Detection & Response (for organizations like Cooper Steel)

Detection:

1. Monitor for Large Data Egress: Implement network monitoring to detect unusually large data transfers from internal servers to external IP addresses, especially from legacy systems like FTP servers. This is a core tenet of D3-NTA: Network Traffic Analysis.
2. Log FTP Access: Ensure all access, command, and file transfer logs for FTP servers are enabled, collected centrally, and reviewed for anomalous activity, such as access from unusual geographic locations or multiple failed login attempts.
3. File Integrity Monitoring: Use FIM tools on critical file servers to alert on unauthorized access or reading of large volumes of sensitive files.

Response:

1. Server Isolation: Immediately take the compromised FTP server offline to prevent further data exfiltration.
2. Forensic Analysis: Conduct a full forensic investigation of the server to confirm the breach, identify the attacker's TTPs, and determine the full scope of the exfiltrated data.
3. Breach Notification: Notify all affected clients (Amazon, Walmart, etc.) and regulatory bodies as required by law and contractual obligations.
4. Dark Web Monitoring: Engage a threat intelligence service to monitor dark web forums for the sale of the data and to potentially identify the threat actor.

Mitigation

This incident is a textbook example of why legacy protocols and poor access management are so dangerous.

• Decommission Legacy Protocols: Immediately decommission FTP in favor of secure alternatives like SFTP (SSH File Transfer Protocol) or modern, managed file transfer (MFT) solutions that enforce encryption in transit and at rest. This is a fundamental part of D3-PH: Platform Hardening.
• Implement Zero Trust: Adopt a Zero Trust security model. Access to sensitive data should require strong authentication (M1032 - Multi-factor Authentication), be granted on a least-privilege basis, and be continuously verified.
• Data Classification and Encryption: Classify all data based on sensitivity. The most critical data, such as client blueprints, should be encrypted at rest (M1041 - Encrypt Sensitive Information) with strict access controls.
• Vendor Security Requirements: For large enterprises like Amazon, this incident must trigger a reinforcement of security requirements for all third-party contractors. This includes mandatory security audits, proof of compliance with standards like ISO 27001, and penalties for security failures.
• Network Segmentation: Ensure that servers holding sensitive client data are segmented from the rest of the corporate network to limit the blast radius of a potential compromise.