The D1R ransomware group has claimed responsibility for a significant supply chain attack, impacting two major technology firms: Bosch, a German multinational engineering and technology company, and Synopsys, a U.S.-based leader in electronic design automation (EDA). On July 13, 2026, D1R posted claims on its leak site asserting it had breached Bosch by leveraging data obtained from a separate, preceding attack on Synopsys. The group explicitly stated they used information from the Synopsys breach as a "neat roadmap" into Bosch's network, a classic supply chain attack scenario. D1R also claimed to have stolen proprietary data from both companies, specifically mentioning the "Bosch CAN module implementation," a critical component in automotive technology. This incident underscores the cascading risk in interconnected technology ecosystems.
Bosch CAN module implementation is highly concerning, as this intellectual property is fundamental to in-vehicle network communication and its theft could have wide-ranging implications for automotive security and Bosch's competitive advantage.While the exact mechanism is not confirmed, the attacker's statement implies they used information from the Synopsys breach—not necessarily direct network access—to facilitate the Bosch attack.
This attack has severe potential consequences for all involved parties:
No specific technical IOCs were provided in the source articles.
Implementing strict network segmentation and firewall rules to prevent a compromised partner connection from accessing critical internal resources.
Applying the principle of least privilege to partner accounts is critical to limiting the 'blast radius' of a supply chain compromise.
D1R ransomware group claims attacks on both Synopsys and Bosch, linking the two incidents.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
CyberNetSec.io uses automation to assist source monitoring, deduplication, observable extraction, and structured intelligence generation. Published analysis follows human-defined editorial standards and adds defensive context including MITRE ATT&CK, D3FEND, STIX, and Sigma where applicable. Read our editorial policy.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.