Attack alert: anubis targets Smith Fire Systems - US

Introduction

On December 4, 2025, Smith Fire Systems, a US-based specialist in fire protection for critical infrastructure, was the victim of a cyberattack orchestrated by the Anubis group. This breach, classified as SIGNAL level by our XC-Classify protocol, exposes a company with 50 to 100 employees and $25 million in annual revenue. The incident raises major concerns for the fire safety sector, as Smith Fire Systems manages protection plans and sensitive customer data for high-risk industries such as petrochemicals. According to our verified data, this attack is part of Anubis's strategy to target critical infrastructure to maximize financial pressure on its victims.

The intrusion against this organization, founded in 1987, illustrates the persistent vulnerability of mid-sized businesses to sophisticated cyber threats. Since fire protection systems are a critical component of industrial safety, their compromise could have cascading repercussions throughout the entire security chain of the infrastructure they serve. Analysis of the incident's metadata reveals a SIGNAL-level exposure, requiring heightened vigilance from the compromised company's partners and customers.

Analyse détaillée

This cyberattack adds to the record of Anubis, a cybercriminal collective active since 2016 that combines ransomware techniques and data exfiltration to coerce its targets into paying. The incident comes amid a surge in attacks targeting the fire safety sector in the United States, a sector that has so far been relatively spared by major ransomware campaigns.

Anubis represents a hybrid threat that has evolved since its creation in 2016, initially identified as a banking trojan before diversifying its operations into enterprise ransomware. This financially motivated collective operates according to a Ransomware-as-a-Service (RaaS) model, allowing affiliates to deploy its malicious tools in exchange for a share of the collected ransoms. This decentralized structure explains the geographic and sectoral diversity of its victims worldwide.

Anubis's modus operandi revolves around multiple infection vectors: targeted phishing campaigns, exploitation of unpatched vulnerabilities in Windows systems, and post-compromise deployment via its eponymous banking Trojan. Once initial access is established, the malicious actor conducts thorough reconnaissance of the compromised network, exfiltrates sensitive data, and then deploys its ransomware using robust symmetric encryption algorithms. Encrypted files are given distinctive extensions, accompanied by ransom notes redirecting victims to Tor portals for negotiations.

→ Full analysis of the Anubis group and its tactics

The sectors targeted by Anubis include finance, retail, public administration, and now, critical fire safety infrastructure. The group employs a double extortion tactic: encrypting systems coupled with the threat of publishing the stolen data. This approach maximizes the psychological and financial pressure on compromised organizations. Anubis's technical infrastructure overlaps with that of other cybercriminal actors, suggesting collaboration or tool sharing within broader malicious ecosystems.

Anubis's previous victims demonstrate a constant capacity for adaptation, with the group regularly updating its techniques to circumvent modern defenses. Its evolution since 2016 shows increasing professionalism, with ransom demands tailored to the victims' estimated financial capacity and the business impact of the disruption.

Smith Fire Systems, established in 1987, has become a leading provider of specialized fire protection systems for industrial infrastructure in the United States. With an estimated 50 to 100 employees and annual revenue of $25 million, the company is positioned as a mid-sized player in the highly regulated fire safety industry. Its clientele includes high-risk industries, notably the petrochemical sector, where the failure of protection systems can have catastrophic consequences.

The nature of Smith Fire Systems' business involves managing highly sensitive data: detailed fire safety plans, suppression system configurations, critical infrastructure maps, and contractual information from clients operating in highly critical environments. This information, if it fell into the wrong hands, could compromise the physical security of major industrial sites. The company works on facilities where business continuity depends directly on the reliability of fire protection systems.

→ Other cyberattacks in the Fire Protection & Safety sector

The compromise of an organization of this size and profile underscores the vulnerability of mid-sized companies, often with limited cybersecurity budgets, to state-sponsored or organized crime threats. Smith Fire Systems operates in an environment where customer trust depends on the ability to protect critical security information. The incident of December 4, 2025, could therefore have significant repercussions for its reputation and business relationships, particularly in an industry where reliability is a primary selection criterion.

The company's location in the United States subjects it to a strict regulatory framework regarding the cybersecurity of critical infrastructure, with potential reporting obligations to federal and state authorities. Its position in the industrial security chain makes it a strategic target for actors seeking indirect access to broader infrastructure by compromising trusted suppliers.

The attack against Smith Fire Systems was classified as SIGNAL level according to our XC-Classify protocol, indicating a detected exposure, but the precise extent and nature of which are still being analyzed. This criticality level suggests that indicators of compromise were identified on data leak monitoring platforms, without a massive volume of files being immediately observable. The NIST score associated with this incident reflects a multidimensional risk assessment, taking into account industry sensitivity, organizational size, and the nature of potentially exposed assets.

Available certified data indicates that the incident was discovered on December 4, 2025, although the initial attack vector and the exact timeline of the compromise have not been made public at this time. Analysis of the incident metadata suggests that data exfiltration preceded any formal ransom demand, consistent with the double extortion model favored by Anubis. The compromised information likely includes fire safety plans, technical configurations of suppression systems, and contractual data from industrial customers.

The types of intelligence managed by Smith Fire Systems present a high-risk profile: critical infrastructure diagrams, physical vulnerabilities identified during security audits, and emergency contact information for sensitive sites. Malicious exploitation of this data could facilitate physical intrusions or targeted sabotage of industrial facilities. For the company's clients, the exposure of their fire protection plans represents a major security breach requiring a complete reassessment of their systems.

→ Understanding XC Criticality Levels and Their Methodology

Conclusion

The time between the initial compromise and public discovery remains undetermined, a critical factor in assessing the potential scope of the exfiltration. Ongoing analyses aim to determine whether the malicious actor maintained prolonged persistence within the network, enabling in-depth reconnaissance and extensive collection of strategic intelligence. The SIGNAL classification involves continuous monitoring of the incident's evolution, with the possibility of reclassification if additional data volumes appear on the extortion platforms.