1、 H2 2023 a������ brief overview of main incidents in industrial cybersecurity 11.04.2024 Version 1.0 H2 2023 A BRIEF OVERVIEW OF MAIN INCIDENTS IN INDUSTRIAL CYBERSECURITY 1 2024 AO KASPERSKY LAB Manufacturing.6 Wildeboer Bauteile hit by ransomware.6 TOMRA hit by cyberattack.6 Este Lauder hit by cyberatta
2、ck.7 Tempur Sealy hit by cyberattack.8 Zaun Limited hit by ransomware.8 Clorox hit by cyberattack.8 Kansai Nerolac hit by ransomware.9 Somagic hit by ransomware��������.9 W����acoal hit by cyberattack.9 Baccarat hit by cyberattack.10 Johnson Controls hit by ransomware.10 Volex hit by cyberattack.11 Simpson Manu
3、facturing hit by cyberattack.11 Yamaha Motor hit by ransom����ware.11 Boeing hit by ransomware.12 PFAFF������� hit by cyberattack.13 Grimme hit by cyberattack.13 VF Corporation hit by ransomware.13 Automotive.14 KIA Motors hit by ransomware.14 Grbener Maschinentechnik hit by cyberattack.14 Yanfeng hit by cyber
4、attack.15 Nissan Australia hit by cyberattack.15 Allgaier hit by cyberattack.16 Power and energy.16 BHI Energy hit by ransomware.16 Idaho National Laboratory hit by cyberatt������ack.17 HSE hit by ransomware.18 Jysk Energi hit by cyberattack.18 Attacks on Iranian gas station������s.18 H2 2023 A BRIEF OVERVIEW O
5、F MAIN INCIDENTS IN INDUSTRIAL CYBERSECURITY 2 2024 AO KASPERSKY LAB Electronics.19 Seiko Group hit by cyberatt�������ack.19 Kendrion Kuhnke hit by cyberattack.19 Alps Alpine hit by ransomware.20 D-Link hit by cyberattack.20 Kyocera AVX Corporation hit by cyberattack.21 Japan Aviation Electronics hit by ra
6、nsomware.21 Bartec hit by cyberattack.22 NXP hit by cyberattack.22 Utility.23 Stader Land Drinking Water Association hit by ransomware.23 Stad��������twerke Neumnster hit by cyberattack.23 Engie hit by cyberattack.24 Hochsauerlandwasser and HochsauerlandEnergie hit by ransomware.24 SIAAP hit by cyberattack.
7、25 Municipal Water Authority of Aliquippa hit by cyberattack�������.25 Drum/Binghamstown Group Water Scheme hit by cyberattack.26 North Texas Municipal Water District hit by cyberattack.2�������7 AVU hit by cyberattack.27 Aqualectra hit by ransomware.27 Elektroprivreda Srbije hit by ransomware.28 Lower Valley Ene
8、rgy hit by cyberattack.28 Logistics&transportation.28 KNP Logistics Group hit by ransomware.28 Port of Nagoya hit by r������ansomware.29 ORBCOMM hit by ransomware.29 Auckland Transport hit by ransomware.30 Estes Express hit by cyberattack.31 DP World hit by cyberattack.31 Guyamier hit by������ ransomware.32 H2
9、2023 A BRIEF OVERVIEW OF MAIN INCIDENTS IN INDUSTRIAL CYBERSECURITY 3 2024 AO KASPERSKY LAB Food&beverages.33 Campbell Soup hit by cyberattack������.33 Yakult Australia hi�������t by cyberattack.33 Oil&gas.34 BAZAN Group hit by DDoS attack.34 Shipbuilding.34 Austal USA hit by ransomware.34 Metallurgy.35 Rhr+Stol
10、berg GmbH hit by ransomware.35 Construction.�����35 Verhelst Groep hi������t by cyberattack.35 BAUER Group hit by cyberattack.35 Koh Brothers Eco hit by ransomware.36 Other.36 Freeport-McMoRan hit by cyberattack.36 Japan Aerospace Exploration Agency hit by cyberattack.37 In this overview,we discuss cybercrimin
11、al and hacktivist attacks on industrial organizations.A s�����eparate report is devoted to APT attacks.Many links to corporate website pages where information on incidents was originally published are broken because the information has already been removed.Still,we decided to keep the links because the i
12、nformation below is based on statements made by victi�������m companies.This overview includes information on incidents confirmed by either the affected organization or responsible ������government officials publicly.Compromise reports and claims made by cybercriminal groups alone are not discussed.H2 2023 A BRI
13、EF OVERVIEW OF MAIN INCIDENTS IN INDUSTRIAL CYBERSECURITY 4 2024 AO KASPERSKY LAB The number of stories is comparable to that for the previous six months(64 vs.67),but on average the consequences of the attacks have become more severe�����(or at least more of the victims reported severe consequences).Mat
14、erial consequences,such as denial of production or suspension of product shipments,were reported twice as often as in the previou������s six months(37.5%of incidents in H2 2023 vs.18%in H1 2023).Some victims reported financial losses as a result of an attack(maximum of$356 million reported by US chemical
15、products manufacturer Clorox).In one������ case,a cyberattack virtually killed a business(or at least thats what������� the companys management claimed “It blocked the companys ability to secure additional investment and funding”).Most of the employees of one of Britains oldest transportation companies,KNP Logis
16、tics,lost their jobs,with just one subsidiary surviving by being sold.Some of the cases have almost involved infrastructural effects.The attack on DP World Australia,for example,stranded 30,000 containers in four major Australian ports.An attack on Chin�����as Yanfeng,the worlds largest OEM manufacturer
17、of automotive interior parts,caused another automotive giant,Stellantis,to halt its assembly lines.In three cases,attackers were able to gain access to automated control systems and use them to cause physical damage.�����One attack by a pro-Israeli group shut down up to 70%of Irans gas stations.An attack
18、 on Israeli-made Unitronics PLCs used in utilities in sev���eral countries around the world left 160 homes in Ireland temporarily without water.The third high-profile case an attack on a Ukrainian energy company was described in our review on APT attacks on industrial enterp�������rises(listing the results of
19、 the technical investigations th��������at have been published by experts for public access in H2 2023).Among the cases that we believe may be of particular interest for various reasons,we would like to highlight the attack on ORBCOMM the US service provider and IIoT and M2M device vendor.The attack affe�����cte
20、d their FleetManager platform and stopped their Blue Tree �����products from working those used to log the activities of truck drivers,as required by local regulations.The attack is of particular interest to us because it may foreshadow the development of a new attack vector for cybercriminals attacking
21、the onboard equipment and telemetry systems installed in various vehicles and vessels,which could open up the possibility���� of locking the vehicle or vessel itself.This is something we mentioned in our recent threat forecast for 2024.H2 2023 A BRIEF����� OVERVIEW OF MAIN INCIDENTS IN INDUSTRIAL CYBERSECURI
22、TY 5 2024 AO KASPERSKY LAB H2 2023 A BRIEF OVERVIEW OF MAIN INCIDENTS IN INDUSTRIAL CYBERSECURITY 6 2024 AO KASPERSKY LAB Manufacturing Wildeboer Bauteile h���������it by ransomware German component manufacturer Wildeboer Bauteile was the target of a cyberattack on July 14.As the company reported on its webs
23、ite,it resulted in significant disruptions to the companys IT and communication systems.As a result of the attack and immediate separation of systems,there were restrictions in the communication options with customers,suppliers,authorities,and other business partners.The atta�������ckers succeeded in break
24、ing through the companys extensive IT security systems.It was unclear at the initial stage wheth�����er the cybercriminals were able to steal any data.To clarify this and other questions,Wildeboer commissioned external IT forensics specialists to analyze the cyberattack.Further measures were taken in clo
25、se cooperation with the relevant autho������rities.A company spokesman confirmed to Norddeutscher Rundfunk that company data was encrypted in the attack.The perpetrators also left a file with a virtual contact address to extort ransom money.Instead of responding to the ransom demand,the company filed a po
26、lice report.On August 11,the company released an update stating that production had started again,thus����� confirming there had been a production halt almost a month long.TOMRA hit by cyberattack TOMRA,a Norwegian manufacturer of sorting machines,was hit by an extensive cyberattack directly impacti�������ng so
27、me of its data systems.The attack was discovered on July 16,and the company promp�����tly took me����asures to contain and neutralize it.To mitigate the consequences,select services were disconnected,and a dedicated team of internal and external members worked to resolve the situation.While most digital serv
28、ices remained operational offline for a limited time,certain functionalities were ������affected.Major office locations went offline,with employees working remotely,while TOMRAs recycling and food divisions continued to operate,albeit with limited digital functionality.TOMRA �������issued an update specifying ce
29、rtain details of the attack,mainly that the th�������reat actor had gained access to some technical infrastructure systems,allowing them to traverse and access other sites.Initial investigation discovered that this was an ongoing cyberattack with access through compromised TOMRA user accounts.TOMRA found n
30、o trace of evidence that its clients,customers,Manufacturing Denial of IT services,Denial of operations Ransomware Manufacturing Denial of IT services,Denial of operations,Data leakage H2 2023 A BRIEF O�������VERVIEW OF MAIN INCIDENTS IN INDUSTR�����IAL CYBERSECURITY 7 2024 AO KASPERSKY LAB partners,or their sy
31、stems were at risk from the attack.It also saw no evidence of data encryption and did not receive any ransom dem�������ands.The cyberattack required a complete restructuring of ��������the IT infrastructure across the global organization.This included rebuilding core data centers,vetting of more than five thousand
32、 user accounts,and reworking and �������reestablishin������g underlying IT and network infrastructure.TOMRA states they implemented Zero Trust architecture.The lessons learned included that employee awareness plays a pivotal role.Comprehensive training and emphasizing the importance of vigilance are essential co
33、mponents.Establishing a defin�������ed incident recovery structure and procedure is also crucial,as incidents can often last longer than initially expected.Learning from the experiences of others with relevant expertise can be invaluable.Este Lauder hit by cyberattack On July 18,2023,U.S.-based cosmetics ����m
34、anufacturer The Este Lauder Companies Inc.reported a c������ybersecurity incident involving unauthorized access by a third party to some of its systems.The company proactively shut down affected systems and launched an investigation in collaboration with cybersecurity experts and law enforcement.The unaut
35、horized party managed to obtain certain data,prompting ongoing efforts to ���������understand the scope and nature of the breach.Este Lauder implemented security measures and ������remediation efforts to restore impacted systems and services.The incident caused disruptions to certain business operations,and the co
36、mpany t����ook the necessary steps to secure its operations����.On the same day,the Clop and BlackCat ransomware groups named Este Lauder Companies on their dark web leak site,following either the failure or non-occurrence of negotiations.The Clop ransomware gang might have gained access to the company afte
37、r exploiting a vulnerability in the MOVEit Transfer platform for secure file transfers.In a message to the company,the BlackCat gang mocked their security measures,saying that they were still present on the network.Referring to the security experts that Este Lauder brou�����ght in to investigate,BlackCat
38、 said that despite the company using Microsofts Detection and Response Team(DART)and Mandiant,the network remained compromised and they still had access.The attacker also said that they did not encrypt any company systems,adding that unl�����ess Este Lauder engaged in negotiations,they would reveal more
39、details about the stolen data.Manufacturing Denial of IT �����services,Data leakage 0-day,MOVEit MFT,Ransomware H2 2023 A BRIEF OVERVIEW OF MAIN INCIDENTS IN INDUSTRIAL CYBERSECURITY 8 2024 ������AO KASPERSKY LAB Tempur Sealy hit by cyberattack U.S.mattress manufacturer Tempur Sealy International had to shutte
40、r parts of������� its IT������� systems because of a cybersecurity event that was identified on July 23.The company said the shutdown caused a temporary interruption of its operations.In an 8-K filed with the U.S.Securities and Exchange Commission,Tempur Sealy said it was in the process of bringing its critical I
41、T system�����s back online and had resumed operations.Legal counsel,a cybersecurity forensic firm,and other incident response professionals were hired to advise Tempur Sealy,and law enforcement agencies were contacted.On August 2,the AlphV/Black Cat ransomware group took credit for the atta�������ck on the comp
42、any,c������laiming to have sensitive documents from senior officials.Zaun Limited hit by ransomware Zaun Limited,a British manufacturer of sports fencing and high security perimeter protection systems,faced a sophisticated cy�����berattack from the LockBit Ransomware group on August 5-6.In a statement released
43、 on the companys website,they reported that they prevented the encryption of their server,and their operations continued without interruption.The statement was released after Lockbit ransomware group claimed responsibility for the attack on August 13.The breach originated from a rogue �������Windows 7 PC r
44、u������nning software for a manufacturing machine,which was since removed and the vulnerability closed.Although initially believed to have thwarted data transfer during the attack,it has now been confirmed that LockBit managed to download approximately 10 GB of data,potentially limited to the vulnerable P
45、C but with a risk of some data on the server being accessed(�����0.74%of stored data).The company collaborated with relevant agencies,including the National Cyber Security Center(NCSC)and the Information Commissioners Office(ICO).Clorox hit by cyberattack On August 14,U.S.-based chemical products manufac
46、turer Clorox disclosed the discovery o������f unauthorized activity on some of its IT systems.Upon detecting this activity,the company promptly initiated measures to halt and remediate the situation,which included taking certain systems offline.Clorox was active in its response and resolution of the issue
47、 and collaborated with law enforcement agencies to address the matter.To maintain service for its customers as much as possible,Clorox implemented workarounds for certain Manufacturing Denial of IT services,Denial of operations Manufacturing Data leakage Ransomware Manufacturing Denial of IT ser�����vice
48、s H�������2 2023 A BRIEF OVERVIEW OF MAIN INCIDENTS IN INDUSTRIAL CYBERSECURITY 9 2024 AO KASPERSKY LAB operations that were affected by offline systems.Nevertheless,the incident resulted in disruptions to various aspects of �����the companys business operations.The following month,the household brand filed ano
49、ther SEC report,which revealed t�����hey believed the hack was contained but resulted in slower production rates and“an elevated level of consumer product availability issues.”Clorox claimed the total cost of the in�����cident was as big as a$356 million decline in net sales.Kansai Nerolac hit by ransomware K
50、ansai Nerolac Ltd.,an Indian subsidiary company of Kansai Paint,a Japanese paint manufacturing company,reported a ransomware incident t����hat occurred on August 20.The statement assured stakeholders that the technical and cybersecurity teams,along with management,responded swiftly to the incident,imple
51、menting the necessary precautions and protocols to mitigate its impact and promptly report the incident to relevant organizations.Investigations into������� the causes and extent of the impact were underway in cooperation with specialized security agencies.The statement also mentioned that business operati
52、ons had already resumed in KNPL,and there was no impact on systems in Japan.Somagic hit by ransomware French barbecue manufacturer Somagic was hit by a cyberattack as reported by local media.Employees discovered that all data was inaccessible on September 18 and that files had ����been renamed with the“
53、.medusa”extension,indicating the involvement of the Medusa hacker gang.The Medusa ransomware group added the company to its victims list.Wacoal hit by c������yberattack European subsidiary Wacoal Europe Co.Ltd.of Japanese lingerie manufacturer Walcoal was hit by a cyberattack on Septembe�������r 19 that affected
54、 its ordering system����s,websites,and phone systems.The websites for Wacoal,Fanta������sie,Freya,and Elomi were down and displayed an error message stating that the sites are“under maintenance.”Wacoal Europe conducted a full-scale investigation and system improvement with the advice of external experts.The c
55、ompany responded to recovery efforts and dealt with disruptions to business activities.No further details were specified.Manufacturing Ransomware Manufacturing Ransomware Manufacturing Denial of IT services H2 2023 A BRIEF OVERVIEW OF MAIN INCIDENTS IN INDUSTRIAL CYBERSECURITY 10 2024 A������O KASPERSKY L
56、AB Baccarat hit by cyberattack French crystal goods manufacturer Baccarat S.A.was hit by cyberatt�������ack according to a statement shared on September 27.The attack partially disrupted the companys operations,and online orders and deliveries were temporarily suspended.According to Baccarats statement,the
57、re was no indication that customers personal or confidential data had been compromised.Baccarat called on external service providers to assess t�����he damage,determine the information systems affected,and prepare for a gradual return to normal.Black Basta ransomware group added the company to its victim
58、s list on October 17.On October 21,Barracat issued a message saying that the publication originating from the threat actor was being analy�������zed by experts.After the cyberattack began,the company reacted with determination and implemented numerous cybersecurity and system security measures.Johnson Cont
59、rols hit by ransomware Johnson Controls International(JCI),a major U.S.manufacturer of HVAC equipment,security and automation systems for buildings,and auto parts,reported on September 27 in a filing with the U.S.Securities and Exchange Commission(SEC)that it suffered a cyberattack causing d����isruptio
60、ns to its internal IT infrastructure.Promptly after detecting the issue,the company began an investigation with assistance from leading external cybersecurity experts and coordinated actions with its insurers.The incident caused dis�����ruption to specific areas of the compa�����nys business operations.Accord
61、ing to BleepingComputer,several subsidiaries of the company that produce fire suppression,HVAC,and security equipment for buildings,experienced IT outages as officials took systems offline in response to the attack.A researcher at Nextron S������ystems shared a tweet including a ransom no��������te from cybergang
62、 Dark Angels in its VMware ESXi encryptor stating a Johnson Controls International compromise,encryption,and leakage of critical data.CNN said they obtained an internal memo from t������he U.S.Department of Homeland Security raising alarm about the incident and warning that the attack on Johnson Controls
63、may have compromised sensitive physical security information such as DHS floor plans.The Dark Angels ransomware gang claimed to have stolen over 27 TB of confidential data from Johnson Controls.The threat actors then demanded a$51 million ransom to delete the data and provide �����a file decryptor.Manufa
64、cturing Denial of IT services,Denial of operations and shipment Manufacturing Denial of IT services Ransomware H2 2023 A BRIEF OVERVIEW OF MAIN INCIDENTS IN INDUSTRIAL CYBERSECURI�������TY 11 2024 AO KASPERSKY LAB According to the SEC,“The impact on net income for the three months ended December 31,2023,of
65、 lost and deferred revenues,net of revenues deferred at the end of fiscal 2023 and recognized in the first quarter of fiscal 2024,and expenses during the quarter was approximately$27 million.”Volex hit by cyberattack Volex,a UK-base���d manufacturer of critical power and data transmission cables,confir
66、med������� on October 9 that intruders accessed data after breaking into its tech infrastructure.The company said in a statement to investors that it enacted security protocols and took immediate steps to stop the unauthorized access to its systems and data as soon as the attack was noticed.Despite the inc
67、i�������dent,all sites remained operational with minimal disruption to global production levels,and the company continued trade with its customers and suppliers.The financial fallout from the breach was not expected to be������ material.Simpson Manufacturing hit by cyberattack Simpson Manufacturing,one of the le
68、ading manufacturers of building and stru��������ct������ural materials and anchors in North America,experienced disruptions in its IT infrastructure and applications resulting from a cybersecurity incident.Following the incident,the company was forced to shut down its infrastructure,which it notified about on Oct
69、ober 10,2023 through �������the SEC 8-K form.The com�������pany stated the incident had caused disruptions to its business operations.They engaged leading third-party cybersecurity experts to support its investigation and recovery efforts.Yamaha Motor hit by ransomware Japanese mobility manufacturer Yamaha Motor
70、Co.,Ltd.said one of the servers managed by its motorcycle manufacturing and sales subsidiary in the Philippines,Yamaha Motor Philippines,Inc.(YMPH),was hit by a ransomware attack confirmed on Octo�������ber 25,and a partial leak of employee personal information was confirmed on November 16.On October 27,YM
71、PH reported the incident to the Philippine authorities.Upon learning of������ the attack,the IT Center at Yamaha Motor headquarters in Japan and YMPH immediately set up a countermeasures team and worked to prevent further damage while investigating the scope of the impact,the company said in a statement.I
72、n addition,the company said it worked on recovery together with an external interne�������t security company.Manufacturing Manufacturing Denial of IT services Manufacturing Personal data le������akage Ransomware H2 2023 A BRIEF OVERVIEW OF MAIN INCIDENTS IN INDUSTRIAL CYBERSECURITY 12 2024 AO KASPERSKY LAB The a
73、ttack remained limited to one of the servers managed by YMPH,and the company confirmed it did not affect the headquarters �������or any other companies in the Yamaha Mo�����tor group.The INC Ransomware gang claimed the attack and leaked alleged data from the Philippines network.The threat actors added the compa
74、ny to its dark web leak site on November 15,and published multiple file archives with roughly 37 GB of data containing employee ID info,backup files,and corporate and sales information,among other data.Bo�������eing hit by ransomware U.S.-based aerospace and defense company Boeing confirmed a cyberattack i
75、mpacted its global services division five days after the Lockbit ransomware group claimed responsibility for an attack on October 28.The cyberattack impacted its parts and distribution business and did not impact flight safety,according to official comments.Boeing confirmed collaboration with �������law en
76、forcement and regulatory agencies as part of an ongoing investigation.The Boeing services website ������was down with a message saying the ongoing outage was caused by“technical issues.”The cybercriminals later removed any mention of Boeing from their website,telling the cybersecurity research and threat
77、intelligence organization VX-Underground that negotiations started on November 1.However,the company was listed again on November 7 when the hackers announced that their warnings had been ignored.Data allegedly from Boeing was finally published online on November 10.Most of the da����ta listed on the ha
78、cker groups leak site are backups for various systems,the most recent of them with an October 22 timestamp.The MalwareHunterTeam research group noted that many of�������� the files appear to be associated with����� Aviall,a Boeing-owned aviation and aerospace component manufacturing company.In a Lockbit 3.0 rans
79、omware advisory published on Novem������ber 21,the CISA mentioned that Boeing observed LockBit 3.0 affiliates exploiting CVE-2023-4966 to obtain initial access to Boeing Distribution Inc.,its parts and distribution business that maintains a separate environment,and this information was voluntarily shared
80、by Boeing.Manufacturing Denial of IT services,Denial of operations Ransomware H2 2023 A BRIEF OVERVIEW OF MAIN INCIDENTS IN INDUSTRIAL CYBERSECURITY 13 2024 AO KASPERSKY LAB PFAFF hit by cybe�����rattack German tools manufacturer PFAFF Werkzeug-und Formenbau in Rthenbach fell victim to a cyberattack that
81、 paralyzed its systems as confirmed by the local press on November 23.In a letter t������o its customers,Managing Director explained that the incident occurred on November 20 and the plants in Rthenbach and Charlotte in the U.S.were affected.Production was only p����ossible to a limited extent,and portion of
82、the workforce stayed at home.Grimme hit by cyberattack On November 28,German agricultural machinery factory Grimme became the target of a cyberattack,which led to the cessation of production and the dismissal of employees at home.The consequences of ��������the attack werent clear,but internal IT detected t
83、he incident early and set up a crisis headquarters while thoroughly examining all systems that were shut down.The company warned on its website that due to the hacker attack,the�������re might be restrictions on spare parts and machine deliveries;the my������GRIMME,supplier,sales partner,and job portal,as well a
84、s websites.A spokesperson also added that������ they hope that as few systems as possible were affected and that production could start again soon.VF Corporation hit by ransomware VF �������Corporation,a U.S.footwear and apparel manufacturer,detected a cybersecurity incident on December 13,according to its 8-K f
85、orm.The company shared that the threat actors encrypted some of its IT systems and stole data.VF worked with cybersecurity experts to investigate the incident.It noted that it worked through incident response and attempted to implement workarounds,but the cyberatt��������ack impacted its ability to fulfill
86、orders.VF shut down some systems itself in response.The company said it tried to limit di�����sruptions by moving some operations offline while it worked to restore the affected portions of its IT������ systems.The company warned in a regulatory filing that the hack had a material impact on its business operat
87、ions.VF announced the incident on the same day(December 15)that the U.S.Securities and Exchange Commissions new cyber disclosure rules took effect.The regulations mandate that companies report“material cybersecurity incidents”to their investors within four days of determining that �������a hack would influ
88、ence their bottom lines.According to a later update,following the shutdown of systems to contain the attack,the company was unable to replenish retail store invento���ry Manufacturing Denial of operations,Denial of IT services Manufacturing Denial of operations,denial of shipment Manufacturing Denial o
89、f IT services,Data leakage,Denial of operations Ransomware H2 2023 A BRIEF OVERVIEW OF MAIN INCIDENTS IN INDUSTRIAL CYBERSECURITY 14 2024 AO KAS�������PERSKY LAB and order fulfillment was delayed,which resulted in order cancellations,reduced demand on ce�������rtain web stores,and the delay of certain wholesale s
90、hipments.The company also revealed that the hackers stole the �����������personal information of approximately 35.5 million consumers.Automotive KIA Motors hit by ransomware On September 6,the LaGrange Daily News was sent a message on social media indicating that an unknown entity had hacked into computer syst
91、ems at car maker KIA Motors Manufacturing Georgia,causing the plant to shu������t down during the first shift and canceling the second shift.A spokesperson confirmed that Kia Georgia was alerted by a supplier of a cybersecurity issue that had resulted in a disruption of their regular production schedule.K
92、ia Georgia worked closely with the supplier to minimize the impact and anticipated a prompt return to normal operations,but no further information on the incident was provided at the time of reporting.Another source obtained information that KIA Motors and other auto suppliers operating on the sa�����m�����e
93、software system had been hacked by attackers who demanded a ransom to restore data and service.Grbener Maschinentechnik hit by cyberattack German mechanical engineering company Grbener Maschinentechnik GmbH&C������o.KG was hit by a cyberattack on December 1-3,2023.According to the official statement on it
94、s website,the perpetrators accessed parts of the internal databases,production processes were not affected,and emergency operatio����ns were successfully resumed.The company pointed out that it cant rule out possible publication of its data.Grbener Maschinentechnik worked closely with law enforcement to
95、 investigate the incident and respond appropriately.Manufacturing,automotive De�����nial of operations Ransomware Manufacturing,automotive H2 2023 A BRIEF OVERVIEW OF MAIN INCIDENTS IN INDUSTRIAL CYBERSECURITY 15 2024 AO KASPERSKY LAB Yanfeng hit by cyberattack Yanfeng,a major manufacturer of automotive
96、components and the worlds largest OEM manufacturer of automotive interior parts for leading auto assembly corporations(also known as Yanfeng Automotive In�����teriors and YFAI)headquartered in China,suffered a cyberattack ����in November,that affected Stellantis(a multinational automotive manufacturing corpo
97、ration formed��������� from the merger of the ItalianAmerican conglomerate Fiat Chrysler Automobiles and French PSA Group,including FIAT,Citroen,Peugeot,Opel,Jeep,Chrysler,Dodge and many other car brands).In a statement to The Detroit News,Stellantis spokesperson said that“Due to an issue with an ��������external su
98、pp������lier,production at some of Stellantis North America assembly plants has been disrupted.”Stellantis monitored the situation and worked with the supplier to mitigate any further impact to its operations.The Yanfeng website wasnt working on November 13,and the Chinese company didnt respond to inquiri
99、es for comments regarding the situation.The Qilin ransomware group also known as Agenda claimed responsibility for the cyberattack on Yanfeng Automotive Interiors by �����adding them to their Tor data leak extortion site on November 27.The uploaded files included financial documents,non-disclosure agreem
100、ents,quota������tion files,technical data sheets,and internal reports.Nissan Australia hit by cyberattack Japanese automobile manufacturer Nissan an�������nounced that its Australia and New Zealand arm suffered a significant cybersecurity incident at the beginning of December 2023 that affected the companys dail
101、y operations and which may have allowed hackers to access personal information.Nissan Oceania informed its customers of a potential data breach and warned them of the risk �������of upcoming scams.The company worked with its global incident response team to assess the impact of������ the attack and worked to res
102、tore affected systems while clarifying that the dealer network was not impacted.Nissan notified the Australian Cyber Security Center and New Zealand National Cyber Security Center.The company did not share details about the attack or its scope.�����In their update released on March 13,2024,Nissan said it
103、 was planning to notify approximately 100,000 individuals about the cyberbreach over the coming weeks.The type of information involved will be different for each person.Current est���imates are that up to 10%of individuals have had some form Manufacturing,automotive Denial of IT services,Denial of serv
104、ice,supply chain/trusted partner Man������ufacturing,automotive Data leakage,Denial of operations H2 2023 A BRIEF OVE�������RVIEW OF MAIN INCIDENTS IN INDUSTRIAL CYBERSECURITY 16 2024 AO KASPERSKY LAB of government identification compromised.The data set includes approximately 4,000 Medicare cards,7,500 drivers
105、licenses,220 passports,and 1,300 tax file numbers.The remaining 90%of individuals�������� notified had some other form of personal information impacted,including copies of loan-rel�������ated transaction statements for loan accounts,employment or salary information,or general information such as dates of birth.The
106、 list of affected individuals includes some of Nissans customers(including customers of Mitsubishi,Renault,Skyline,Infiniti,LDV and RAMS branded finance businesses),dealers,and some current and former employees.Allgaier hit by cyberattack �������On December 8,German automotive������� supplier Allgaier Werke GmbH
107、fell victim to a cyberattack,as reported by a local news outlet.The attack occurred amidst the companys ongoing insolven������cy proceedin�����gs.Despite the breach,production activities remained unaffected at the time of the incident,with both the company and the insolvency administrator refraining from discl
108、osing further details regarding the extent of the impact.The nature and scope of the cyber-intrusion were not explicitly outlined in the initial report.Power and energy BHI Energy hit by ransomware U.S.energy services firm B������HI Energy detailed on October 18 in a data breach notification how the Akira
109、 ransomware operation breached their networks and stole data������� during an attack.The group breached the c�������ompany network on May 30,2023 and reached the internal BHI network through a VPN connection using a third-party contractors account.In the week following initial access,the threat actor used the sam
110、e compromised account to perform reconnaissance of the internal network.The Akira operators revisited the network on June 16,2023,to e�������numerate what data would be stolen.Between June 20 and 29,the threat actors stole 767,000 files������ containing 690 GB of data,including BHIs Windows Active Directory data
111、base.Finally,on June 29,2023,having stolen all the data they cou������ld from BHIs network,the threat actors deployed the Akira ransomware on all devices to encrypt files.The company said they immediately informed law enforcement and engaged with external experts to help them recover the impacted systems.
112、The threat actors foothold on BHIs network was removed on July 7,2023.The company Manufacturing,automotive Energy Data���� leakage,personal data leakage,supply chain/trusted pa������rtner Ransomware H2 2023 A BRIEF OVERVIEW OF MAIN INCIDENTS IN INDUSTRIAL CYBERSECURITY 17 2024 AO KASPERSKY LAB said it had bee
113、n able to recover data ������from a cloud backup solution that hadnt been affected by the ransomware attack,so they were able to restore their systems without paying a ransom.BHI identified that some of the files contained individuals personal information and BHI was able to identify the �������specific data dis
114、closed,which consisted of first,middle,and last names,addresses,dates of birth,Social Security Numbers,and potentially health information.BHI sent written notice to 896 affected residents on October 18,2023.Additionally,BHI bolstered its security measures b������y imposing multi-factor authentication on V
115、PN access,performing a global password reset,extendin�����g the deployment of EDR and AV tools to cover all sections of its environment,and decommissioning legacy systems.Idaho National Laboratory hit by cyberattack Hacktivists group SiegedSec hacked ����the Idaho National Nuclear Laboratory(INL),a U.S.Depar
116、tment of Energy nuclear research cente�������r,and stole confidential data.This became known after SiegedSec published proof on the dark web on November ��������20.INL has 50 experimental nuclear reactors and specializes in nuclear energy and national security.INLs current activities include the development of nex
117、t-generation nuclear power plants,light water reactors,control system cybersecurity,advanced ve�������hicle testing,bioenergy,robotics,and n�������uclear waste reprocessing.SiegedSec hackers leaked detailed information on 45,047 former and current employees,spouses,and dependents on hacker forums and Telegram,inc
118、luding email and phone numbers,Social Security Numbers(SSNs),residential �������addresses,and employment information including bank information and salary details.SiegedSec also rolled out screenshots of the Oracle HCM system interfaces in INL,also simultaneously posting a message about the hack inside the
119、 corporate network.An INL representative confirmed the violation,noting that an �����investigation was underway with the participation of intelligence services and law enforcement agencies,which would have to establish the scale of the incident and the possible leak of scientific data.Energy Personal dat
120、a leakage,Data leakage Hacktivism H2 2023 A����� BRIEF OVERVIEW OF MAIN INCIDENTS IN INDUSTRIAL CYBERSECURITY 18 2024 AO KASPERSKY LAB HSE hit by ransomware Slovenian power generation company Holding Slovenske Elektrarne(HSE)suffered a ransomware attack on November 22,with the company finally containing
121、it on November 24.The attack compromised its systems and encrypted files,and was first���� reported by a local news outlet.The Director of the Information Security Office told the media that all power generation operations remained unaffected by the �������cyberattack while IT systems and files were“locked.”Th
122、e organization immediately informed the National Office for Cyber Incidents at Si-CERT and the Ljubljana Police Administration and engaged with external experts������� to mitigate the attack and prevent the virus from spreading to other systems across Slovenia.The attack is believed to be the work of the R
123、hysida ransomware gang,which offers its victims an email address to contact the threat actors without making a������ny financial demands.According to Slovenian news outlet 24ur the incident was due to poor cyber hygiene(��������i.e.,passwords stored in the cloud).Jysk Energi hit by cyberattack Hackers successfull
124、y penetrated the systems of a major energy supplier in Denmark,Jysk Energi,but there is no indication that they �������succeeded in stealing or encrypting data.The Danish energy company said it physically disconnected its internet connection following the cyberattack discovered on December 9,and some s���yste
125、ms were shut down to the detriment of employees and customers.Relevant authorities were notified,and normal operations were expected to start the week after the published statement was issued.Attacks on Iranian gas stations Around 70%of Irans gas stations were disrupt������ed as a result of a cyberattac�������k.
126、The attack affected the ability to pump fuel,leading to long queues at gas stations and traffic jams.Hacktivist group Predatory Sparrow(“Gonjeshk-e-D�����arande”)claimed responsibility for the attack on its Telegram channel on December 18.The Iranian government has accused the gang,which previously carri
127、ed out attacks on Iranian railway systems and a steel plant,of having ties to Israel.A member of the Energy Committee of the Iranian Parliament claimed that the cyberattack on Irans fuel supply system was carried out“from inside”and that the attackers entered the system via a USB ������or program from ins
128、ide.Energy Denial of IT services Ransomware Energy Denial of service Energy Denial of service Hacktivism H2 2023 A BRIEF OVERVIEW OF MAIN INCIDENTS IN INDUSTRIAL C����YBERSECURITY 19 2024 AO KASPERSKY LAB Electronics Seiko Group hit by cyberattack Japanese electronics manufacturer Seiko Group Corporatio
129、n confirmed that it was dealing with a data breach in a statement on August 10.It discovered a possible data breach on July 28 and hired cybersecurity experts to examine the situation o����n August 2.The investigators found unauthorized access to at least one of their se�����rvers.In its statement,Seiko said
130、 it was reasonably certain that there was a breach and that some information stored by the company and/or group companies may have been compromised.On August 21,the AlphV/Black Cat ransomware gang took credit for the attack,sharing sc�������reenshots of the stolen data that included spreadsheets and presen
131、tations.L����ater on,Seico said it had completed a comprehensive review of the breach with outside cybersecur����ity experts.The leaked data had been stored by the business units known as Seiko Group Corporation,Seiko Watch Corporation,and Seiko Instruments Inc.About 60,000 pieces of personal data from cust
132、omers,employees,business partners and job applicant����s were leaked.Kendrion Kuhnke hit by cyberattack In August,Kendrion,a control technology manufacturer headquartered in Amsterdam,experienced a cybersecurity incident involving an unauthorized third party gaining access to the companys system������s.In res
133、ponse to the incident,the company took all its systems offline as a containment measure and activated its response protocol,including contingency pl������anning to ensure ongoing operations.Kendrion conducted investigations into the incident with the assistance of leading third-party cybersecurity experts
134、.The cyberattack affected������ Kendrions location in Malente,Germany,where development and sales operations came to a standstill.However,production continued at the affected site.Most of the 300 employees in Malente were sent home as a result of the incident.While the investigation was�������� ongoing,the compan
135、y could not rule out the possibility that the unauthorized party may have accessed company data.On September 5,the company repo����rted that they had fully resumed o������perations.Manufacturing,electronics Data leakage Manufacturing,electronics Denial of operations H2 2023 A BRIEF OVERVIEW OF MAIN INCIDENTS
136、IN INDUSTRIAL CYBERSECURITY 20 2024 AO KASPERSKY LAB Alps Alpine hit by ransomware Japanese manufacturer and supplier of audio,information,and communica�������tion equipment and electronic components Alps Alpine Co Ltd was hit by ransomware.According to the official statement,the attack was detected on Sep
137、tember 10.In order to minimize impact,the company immediately isolated the targeted servers from the network and started a detailed���� investigation to determine the impact with a security consultant.The company remained operational,though admitted that the attack affected some of its operations,includ
138、ing production and shipping.Alps Alpine restored its servers step-by-step,and continued to isolate servers from the network that remained of concern.The Bl������ackByte ransomware�������� group added the company to its victim list on the dark web on September 12.On November 28,Alps Alpine North America,Inc.filed
139、a notice of data breach with the�������� Attorney General of Texas after discovering that an unauthorized party being able to access the employees sensitive information,which includes their names,Social Security Numbers,addresses,drivers license numbers,and other government-issued identification numbers.D-L
140、ink hit by cyberattack Taiwanese network equipment manufacturer D-Link confirmed a cyber-inc���������ident and data leak after a post about the breach was published on a hacking forum on October 1.Preliminarily,the incident led to the disclosure of certain low-sensitivity����,semi-accessible information.It is st
141、ated that the data likely relates to the old D-View 6 system,which was used for registration and discontinued in 2015.The violation was discovered when unidentified attackers claimed to have stolen the personal data �������of government officials in Taiwan,as well as the source code of the D-Link D-View ne
142、twork management software.Trend Micro specialists were involved in the investigation.According to the investigation,as a result of the breach,approximately 7������00 outdated and fragmented records were compromised,contrary to claims that the data of millions of users was leaked.Details of the attack were
143、 not dis����clo��������sed,except that the breach was the result of a phishing attack that was carried out on one of the companys employees.D-Link specifically emphasized that its current customers are unlikely to be affected by this incident.Manufacturing,electronics Denial of operations,production and shipmen
144、t Data Leakage Personal Data Leakage Ransomware Manufacturing,electronics,network equipment Data leakage H2 2023 A BRIEF OVERVIEW OF MAIN INCIDENTS������ IN INDUSTRIAL CYBERSECURITY 21 2������024 AO KASPERSKY LAB Kyocera AVX Corporation hit by cyberattack U.S.manufacturer of advanced electronic components Kyoce
145、ra AVX Components Corporation(KAVX),a subsidiary of the Japanese semiconductor giant Kyocera,said in a letter dated������ October 30 that it had suffered a cyberattack on March 30 on servers in its Greenville and Myrtle Beach,South Carolina locations that temporarily disrupted operations and led to a data
146、 leak.Upon learning of the incident,the compa��������ny launched an investigation into the attack,hired an outside third-party cybersecurity expert ��������and notified law enforcement.KAVXs in-depth investigation determined that an unauthorized party gained access to and took information from certain systems betwe
147、en February 16,2023,and March 30,2023.KAVX later discovered that the data contained on the impacted servers included the personal information of individuals globally.The following types of personal information may have been impacted:first and last name,address,date of����� birth,perso������nal contact details
148、such as phone numbers and emails,employment-related data such as employee ID,compensation,and salary information,employment performance,trade union data,health and medical-related information,gender identity,race and ethnicity,signatures,certain government-issued identifiers such a������s Soc��������ial Security
149、Numbers,drivers license numbers,passport numbers,other i����dentification numbers,tax information,and financial account numbers.The LockBit ransomware gang��������� claimed to have compromised KAVX on May 26,2023,when it added the firm to its data leak site.Japan Aviation Electronics hit by ransomware Electronic
150、s and aerospace manufacturer Japan Aviation Electronics confirmed that its systems faced a cyberattack on November 2 that forced the company to shut down its website.The company said that it investigated the status of damage and restored operations,������but some systems had been suspended and there had b
151、een delays in sending and receiving emails.Apart from failures in the operation of IT systems,no other consequences of the incident were initially disclosed.The company itself initially stated that there was no data lea����k.However,Japan Aviation Electronics was added to the ALPHV/BlackCat ransomware g
152、ang leak site on November 6.The company issued an update confirmin�������g a ransomware attack,as files on the servers had been encrypted and information stored on the server at the overseas subsid�������iary JAE Oregon,Inc.(Oregon,U.S.)had received unauthorized access and been leaked.Manufacturing,electronics De
153、nial of operations,Data leakage,Personal data leakage Man������ufacturing,electronics Denial of IT systems,Data leakage Ransomware H2 2023 A BRIEF OVERVIEW OF MAIN INCIDENTS IN INDUSTRIAL CYBERSECURITY 22 2024 AO KASPERSKY LAB Japan Aviation Electronics set up a task force,investigated the damage,and work
154、ed on restoration with the support of external experts.It reported and consulted with the relevant organizations,said it would report������� to its customers and business partners who may have been affected,and proceeded with strengthening security and ta������king counter measures to prevent a recurrence.Bartec
155、 hit by cy������berattack German electronic equipment manufacturer and engineering c�������ompany Bartec TOP HOLDING GmbH disclosed a cyber-incident that occurred on November 10 on their website.The company said that an unauthorized data access attempt was undertaken on parts of BARTECs IT infrastructure.This at
156、tempt was�������� largely prevented by the companys own security systems.Bartec immediately checked its existing IT infrastructure and has not identified any new attempts at unauthorized data access since then.Nevertheless,individual data leakage couldnt be excluded.NXP hit by cyberattac������k On November 24,202
157、3,the details of a substantial cy�����bersecurity incident of Dutch microelectronics giant NXP were revealed to Dutch press.The Chinese-speaking APT network known as Chimera managed to spy while remaining undetected on the network from October 2017 to the beginning of 2020.The first m�����ention of the hack c
158、ame after Fox-IT published details in January 2021 of two highly advanced cyberatt�����ac�������ks that targeted an airline and an unnamed semiconductor company,later known to be NXP.Hackers managed to gain access to NXP systems through employee accounts using classic brute force and bypassing 2FA by spoofing p
159、hone numbers.The hackers collected primary information about the accounts from previous LinkedIn or Facebook leaks.Once inside the companys network,the hackers gradually expanded the�������ir access rights,erased traces,and moved horizontally into protected segments.In search of new potentially interesting
160、 data,hackers visited the victims network on a weekly basis.Confidential data of interest was collect�����ed into encrypted archives and exfiltrated through Google Drive,Microsoft One Drive,and Dropbox cloud services.The presence of cyber spies in the network was only discovered after investigating anoth
161、er incident involving the hacking of Dutch airline Transavia in 2019,when hackers attempted to gain access to the reservation systems of a subsidiary of KL�����M.Since April 2020,Microsoft and Fox-IT specialists Manufacturing,electronics,engineering Manufacturing,electronics Data leakage APT �������H2 2023 A BR
162、IEF OVERVIEW OF MAIN INCIDENTS IN INDUSTRIAL CYBERSECURITY 23��� 2024 AO KASPERSKY LAB were involved in the investigation and localization of damages and assess������ed the volume of the leak and all the circumstances of the incident.As a result,it was reported that the APT group managed to steal a certain p
163、ortion of the intellectual property of NXP,but what exactly was stolen remains unknown.Howeve���r,according to NXPs annu�����al reports for 2020 and 2021,no direct material damage was caused.In addition,as NRC journalists found out,during subsequent operations in 2018 and 2019,in addition to Transavia,the g
164、roup also hacked seven Taiwanese chip manufacturers.Taiwanese CyCraft published details of this case in April 2020 as a large-scale,well-coordinated attack on the Hsinchu Science Park in Taiwan,where the headquarters of chip giant TSMC is located.Utility Stader Land Drinking Water Association h����it by
165、 ransomware The Stader Land Drink�������ing Water Association released a statement on its website addressing a ransomware attack that occurred at the end of July.While the attackers aimed to encrypt the associations systems,their encryption attempt was successfully thwarted.The IT infrastructure was in the
166、 final stages of secure reconstruction with support from external experts and close cooperation with data protection and law enforcement authorities.The statement highlights that the drinking water supply remained unaffected and continues to meet high quality������ standards despite the cyber-incident.How
167、ever,there was a possibility that the attackers may have accessed sensitive data,such as addres���ses or account information,although there was no evidence of such a breach.The Lockbit ransomware group claimed responsibility for the attack and included the organization in its DLS(data leak site).Stadtw
168、erke Neumnster hit by cyberattack On August,Stadtwerke Neumnster(SWN),a regional energy s�����upply and service company in Neumnster,Germany,fell victim to a cyberattack that was announced on their website,prompting a precautionary shutdown of all systems.Wh��������ile the supply of electricity,gas,heat,and inte
169、rnet to customers remained unaffected,the attack had significant consequences on the companys Water supply,utility Denial of IT systems,Data leakage Ransomware Energy,utility Denial of IT services H2 2023 A BRIEF OVERVIEW OF MAIN INCIDENTS IN INDUST�������RIAL CYBERSECURITY 24 2024 AO KASPERSKY LAB operati
170、ons and services.SWNs IT dep�������artment detected the espionage attempt and quickly initiated the shutdown as a protective measure.According to a press spokeswoman,this swift response was crucial to prevent further damage.She assured the public that essential se����rvices for customers are guaranteed despite
171、 the system shutdown.However,the impact on SWNs employees was substantial.They were unable to work effectively,with no access to email,phone sys�����tems,or the various programs and systems used by the company.Many hotlines were also unavailable,leading to recorded announcements explaining the situation.
172、The customer center at Kuhberg remained open for advice and assistance,but accessing custo�����mer data and making changes to contracts is not possible due to the������� system shutdown.The State Criminal Police Office(LKA)led the investigation.According to the spokeswoman,the process of individually starting u
173、p and securing all systems,as well as conducting a thorough analysis,could take days or even two to three weeks.Engie hit by cyberattack On August 23,a member of a hacker forum calling himself“HommedeLombre”publi������shed a customer database of Engie,a French energy supplier,leading to the leak of the pe
174、rsonal data of 110,000 customers.The hacker indicated that he had exploited a flaw in a system of a subcontr����actor managing the site for Engies Prime Energy(monespaceprime.engie.fr).Following this revelation,on August 30 Engie confirmed that it had fallen the victim of the cyberattack affecting its w
175、ebsite.Engie filed a complaint and worked with the competent authorities to resolve the matter.Customers whose data was stolen were informed of the situation.Among the informati��������on leaked were the victims ����first names,last names,email addresses,telephone numbers and customer numbers.Hochsauerlandwasse
176、r and HochsauerlandEnergie hit by ransomware German Hochsauerlandwasser GmbH(HS������W)and HochsauerlandEnergie GmbH(HE),water and energy supply companies,fell victim to a hacker attack that w�����as announced on October 5.Some services became available to customers to a limited extent,and parts of the IT infr
177、astructure were infected with malware.Although much of the IT infrastructure was restored within a short period of time,Energy,utility Personal data leakage Energy,water supply,utility Denial �����of IT services Ransomware ����H2 2023 A BRIEF OVERVIEW OF MAIN INCIDENTS IN INDUSTRIAL CYBERSECURITY 25 2024 AO
178、KASPERSKY LAB the commercial operating software remained out of operation for several days for security reasons.HSW and HE had a forensic audit of their systems carried out.The team from the two municipal co�������mpanies could be reache�����d in customer centers by telephone,email,or post.Services such as chan
179、ges to advance payments,meter reading reports,or changes to contracts cou���ld not be implemented.HSW and HE filed a criminal complaint against those r��������esponsible for the hacker attack.The managing director emphasized that they werent considering an option to respond to the hackers demand for a ransom p
180、ayment.SIAAP hit by cyberattack French water utility Syndicat Interdpartemental pour lAssainissement de lAgglomration Parisienne(SIAAP)became the victim of cyberattack on October 24.According to the message on it�������s website,the attack r�����esulted in the SIAAP mail server sending fraudulent emails to“othe
181、r Fre������nch administrations.”IT teams worked to secure industrial systems and closed off all external connections to prevent the attack from spreading.������This attack was quickly contained and the SIAAP IT infrastructure remained operational.However,several hundred fraudulent messages were sent from the SI
182、AAP mail server.Recipients of such messages were advised to be vigilant and check the veracity of the message received from their usual contacts at SIAAP without clicking on any suspicious links.Th������is event was the subject of an in-depth analysis,and reinf�����orced protective measures were being deployed
183、.The SIA������AP filed a complaint and declarations were in progress at the National Informati����on Systems Security Agency.Municipal Water Authority of Aliquippa hit by cyberattack The Municipal Water Authority of Aliquippa in Pennsylvania,a company that provides water and sewer services,confirmed to local
184、news outlet KDKA-TV that����� hackers took control of a system associated with a booster station.The companys chairman of the board for the Aliquippa water authority explained that alarms went off on November 25 at a station located on the outskirts of town and that local police were called to investigat
185、e the incident.According to the comments provided to local news outlet Beaver Countian,the hackers did not get access to anything in the actual water treatment pl�����ant or other parts of the system other than a pump that regulates Water supply,utility Abuse of IT services Water supply,utility Denial of
186、 operations Unitronics Hacktivism H2 2023 A BRIEF OVERVIEW OF MAIN INCIDENTS IN INDUSTRIAL CYBERSECURITY 26 2024 AO KASPERSKY LAB pressure to elevated areas of the system.The pump ���was on its own computer network separated from the primary network and physically located �����miles away.Employees took the
187、equipment offline and used backup tools to maintain water pressure.It was stated�������� that there was no known risk to the drinking water or water supply.The machine that was hacked used the Unitronics Vision system,a programmable logic controller(PLC)with an integrated human-machine interface(HMI).Unitro
188、nics Vision products are developed by an Israeli-owned technology company and have been known to be affected by critical vulnerabilities that could expose devices to attacks.An Iran-supporting hacktivist grou����p called Cyber Av3ngers took credit for the attack,posting a message about the hack on the s
189、creen of the compromised Unitronics Vision system.The group has filled its social media feed with references to the leaders of ������Iran and has pledged to attack any entities with products or ties to Israel,already claiming attacks on 10 water treatment plants in Israel.CISA(Cybersecurity&Infrastructure
190、 Security Agency)issued an alert on November 28 that threat actors breached a U.S.water facility by hacking into Unit������ronics programmable logic controllers(PLCs)exposed online.CISA urged utilities to change default passwords,require multifactor authentication for all remote access to the operational
191、technology network,disconnect PLCs from����� the open internet,or install firewalls and VPNs if remote access is necessary.Dru������m/Binghamstown Group Water Scheme hit by cyberattack The electronic system of the water scheme in the Drum/Binghamstown area of Erris in Ireland was hit by a cyberattack.As a resu
192、lt,residents served by the Drum/Bingh������amstown Group Water Scheme were without water on November 30,reportedly 180 people(160 households).Erris-based Deputy said crews tried desperately to repair the damaged equipment.The water utilitys representatives said the hackers may have breached the syste�����m due
193、 to their firewall not being“strong enough.”The target was the PLCs of Israeli company Unitronics.According to the Irish media,the caretaker went down and when he got to the pumphouse����,“You have been hacked”and“Down with Isr�������ael”messages were displayed on the screen,as well as the hacker groups name.A
194、lthough the name of the group that attacked Binghamstown/Drum was not revealed,it may be linked to the Cyber Av3ngers hack of the Municipal Water Authority of Aliquippa in Pennsylvania.Water supply,util�����ity Denial of operations Unitronics Hacktivism H2 2023 A BRIEF OVERVIEW OF MAIN INCIDENTS IN INDUS
195、TRIAL CYBERSECURITY 27 2024 AO KASPERSKY LAB North Texas Municipal Water District hit by cyberattack The North Texas Municipal����� Water District(NTMWD),which provides water supply,wastewater treatment,����and solid waste management in 13 cities across the state,including Plano and Frisco,was hit by a cyber
196、attack.T��������he administration managed to restore the systems,declaring that the incident had no impact on the production process.The companys spokesperson announced that law enforcement was notified of the incident,but did not respond to requests for comment about whether NTMWD dealt with ransomware.Acc
197、ording to official data,the �����companys phone lines were down on November 12.However,the att������ack was claimed by the Daixin Team ransomware gang,which added NTMWD to its DLS on November 28,claiming to have stolen more than 33,000 customer information files.AVU hit by cyberattack German energy supplier AV
198、U,which serves Hattingen������ and Sprockhvel,was hit by a cyberattack.AVU systems were disconnected from the internet and taken out of service to prevent damage,mak������ing the online service point inaccessible.However,thanks to preventive measures and the intervention of security experts,no customer data was
199、 affected and the energy supply was never compromised.Aqualectra hit by ransomware Water and electricity distribution company Aqualectra in Curaao suffered a cyberattack which forced it to temporarily cut all its online connections,affecting its internal syst������ems and customer service.The companys sta
200、tement appeared after the Akira ransomware group took responsibility on December 6 and said it had compromised operational files,business documents,payment records,and more.Aqualectr������a acted quickly to counter the attack and conducted extensive analysis to prevent permanent damage.Services were fully
201、 restored,and according to the statement,recent power outages on ������the �������island were not linked to this cyberattack.Water supply,utility Denial of IT services Data leakage Ransomware Energy,utility Denial of IT services Energy,water supply,utility Denial of IT services Ransomware H2 2023 A BRIEF OVERVIE
202、W OF MAIN INCIDENTS IN INDUSTRIAL CYBERSECURITY 28 2024 AO KASPERSKY LAB Elek����troprivreda Srbije hit by ransomware Serbian power generation company Elektroprivreda Srbije(EPS)suffered a crypt����o cyberattack and claimed that electricity production and distribution as well as business activities were not
203、 affected thanks to their protective measures.For security reasons,IT systems were put out of action.The operation of the Account Insight portal was hampered.The company said that state �����authorities were informed about the cyberattack and������ took appropriate measures.Ransomware hacking group Qilin took
204、responsibility for the cyberattack on Serbias electricity provider at the end of December and offered the download of hundreds of thousands of documents allegedly taken from the company on their dark web website.Qi������lin said it was offering more than 34 GB of Elektroprivreda Srbije(EPS)data on the dar
205、k web,and a s�������econd tranche would be available on January 27.Lower Valley Energy hit by cyberattack U.S.electric utilities company Lower Valley Energy Inc disclosed a cyberattack on December 28.Upon discovery of this incident,Lower Valley Energy promptly engaged a law firm specializing in cybersecuri
206、ty and data privacy to investigate the incident.Additionally,Lower Valley Energy engaged third-party forensic specialists t�����o assist in its investigation of the incident.At the time of announcement,Lower Valley Energy had no evidence that personal information had been impacted.Logistics&transportatio
207、n KNP Logistics Group hit by ransomware UK-based KNP Logistics Group declared insolvency after suffering a major ransomware attack in June that affected virtually all key systems,processes,and financial information,causing irreparable damage and sig������nificant budgetary costs.In June,KNP Logistics Grou
208、p was added to the Akira ransomware gangs list of victims.In September,it became known that the co-owners of the business were unable to attra�������ct additional investment and financing,and therefore were forced to take tough administrative measures.As reported by BBC,as a resu����lt of the attack,730 group
209、employees were fired,and Nelson Distribution Limited,part of the congl��������omerate,was������ sold,saving 170 jobs.Energy,utility Denial of IT services Ransomware Energy,utility Logistics Denial of services,denial of operations Ransomware H2 2023 A BRIEF OVERVIEW OF MAIN INCIDENTS IN INDUSTRIAL CYBERSECURITY 29
210、 2024 AO KASPERSKY LAB A companys spokesperson did not specify if KLP had contacted law enforcement or an external ���incident response company following the ransomware attack.It is unclear how exactly the attack influenced the decision of the business owners to shut down.According to the company,the“m
211、ajor ransomware attack affected key systems,processes,and financial information.This adversely impacted the financial position of the group,and ultimately its ability to secure additional investm�������ent and funding.”KNP Logistics Group,which traded under a number of names,including Knights of Old,was ad
212、ded to the Akira ransomware gangs list of victims in June.In July,cybersecurity firm Avas����t publicly released a decryptor for the Akira ransomware.Port of Nagoya hit by ransomware On Jul����y 5,the Nagoya Harbor Transportation Authority announced that cargo operations had been suspended after a ransomwar
213、e incident impacted the Nagoya United Terminal System(NUTS),the computer system used to operate th�����e ports five cargo terminals.The port handles over two million containers and 165 million cargo tonnage annually,including the operations of Toyota Motor Corporation for car exports.Toyota said that it
214、could not load or unload auto parts due to th������e glitch.But the company added that there was no disruption to its production so far,and the logistics of finished vehicles remain unaffected because it is managed using a different computer system.All cargo operations,including the loading and unloading
215、of containers onto trailers,were suspended as of July 4.The a������ttack resulted in a temporary congestion of trailers at the port.The Nagoya port authority estimated that cargo operations would resume on Ju���ly 6.According to the Japan Times,the port authority also discovered that the LockBit 3.0 ransomwa
216、re group was behind the attack.The port was fully restarted on July 6,as was estimated.ORBCOMM hit by ransomware ORBCOMM,a U.S.company that provides industrial internet and machine to machine communications hardw��������are,software and services designed to track,monitor,and control fixed and mobile assets
217、for transportation,heavy equipment,maritim�������e,oil and gas,utilities and government organizations,experienced a ransomware attack on September 6.According to the comments provided to BleepingComputer,the attack temporarily impacted the FleetManager platform and Blue Tree product line(Electronic Logging
218、 Devices(ELD)that truckers use to log their hours to adhere Transport����ation,logistics,port������ Denial of operations Ransomware Transportation,maritime,utilities,oil&gas Denial of IT Services Supply Chain Ransomware H2 2023 A BRIEF OVERVIEW OF MAIN INCIDENTS IN INDUSTRIAL CYBERSECURITY 30 2024 AO KASPERSK
219、Y LAB to federal safety regulations).All other systems and service offerings remained completely operational,and customers used them as normal.The company remained in contact with all impacted customers and continued to provide timely updates as ������the recovery and investigation������ processes progressed.Th
220、e U.S.Federal Motor Carrier Safety Administration issued a waiver allowing trucker�������s to continue using paper logs until the service is restored and no later than September 29.BleepingComputer learned that thi������s outage impacted some of the countrys largest freight transportation companies,preventing th
221、em from tracking their fleets and inventory.Auckland Transport hit by ransomware The Auckland Transpo�������rt(AT)transportation authority in New Zealand responsible for public transport by ferries,busses,and trains,and for designing and building roads and other infrastructure,experienced widespread disrup
222、tion caused by a cyber-incident that impacte�������d a wide range of customer services.The company announced that on September 13,2023,it was impacted by a ransomware incident and experienced issues with its HOP services(integrated ticketing and fares system)as the cyber-incident impacted parts of its netw
223、ork.In a statement provided to a local media outlet,a spokesperson for AT stated that they had indications they had been targeted by ransomware but noted that investigations were still ongoing.The authority activated se��������curity protocols and worked with expert partners to resolve the issue as quickly
224、as possible.The Medusa ransomware group announced its responsibility for the ransomware attack targeted at the HOP car�����d system of Auckland Transport on September 18.AT chief executive Dean Kimpton confirmed it was a ransomware attack called Medusa and reassu��������red commuters that no personal or financia
225、l data was beli������eved to have been compromised in the incident.According to Dean Kimpton,the ���attackers got into the companys transaction database storing information on HOP cards.No customer information,banking or private details have been breached nor any other systems.Transportation Denial of servic
226、es Ransomware H2 2023 A BRIEF OVERVIEW OF MAIN INCIDENTS IN INDUSTRIAL CYBERSECURITY 31 2024 AO KASPERSKY LAB Estes Express hit by cyberattack U.S.logisti�����cs company Estes Express confirmed it was the victim of a cyberattack that caused an outage in core infrastructure and impacted a number of system
227、s according to the statement on its website and X posts on October 3.While the company was unable to share specific de�������tails at the time of the announcement,terminals and drivers effectively picked up and delivered freight while the company worked through this event.In response to a customer query,th
228、e company posted that with the outage in the online tracking system,they were unable to����� track and trace freight.On October 24,Estes announced all the companys operations had returned back to normal.The companys API connections were available to integrate the shipping functionality into customer busi
229、ness applications and websites.The president ��������of Estes Expr������ess also said the company had restored the image document retrieval API and worked hard to get all scanned images into the system so invoicing can resume soon with their APIs.The companys website was also restored,as was its phone service.For
230、ensic investigation into the incident was concluded on November 7.According to the Data Breach notification the company sent to the Main Attorney Generals Office,the breach occurred on September 26 and was detected on October 1.Personal informat��������ion on 21,884 individuals had been stolen,including nam
231、es or other personal identifiers and social security numbers.Notification letters started being sent to affected individuals only in December,after law enforcement concluded their own investigation into the i���������ncident.The LockBit ransomware gang claimed r������esponsibility for the attack in early November.
232、On November 13,the group published the data allegedly stolen from Estes on its Tor-based leak site.DP World hit by cyberattack DP World,a Dubai-based international container�������� termina�������l and supply chain operator that operates 82 terminals in 40 countries handling approximately 70 million containers ann
233、ually,suffered a cyberattack that led to serious disruptions in the operation of Australias international ports.The attack was detecte����d on November 10 and led to the shutdown of terminals at the ports of Melbourne,Sydney,Brisbane,and Fremantle.As a result of the incident,approximately 30,000 contain
234、ers of various types and values were reportedly blocked.According to the companys official statement on its website,a third party gained access to some of the systems,including certain user accounts.Logistics Denial of services,denial of IT systems,personal data �������leakage Transportation,logistics,port
235、 Data loss,denial of service and operations,personal data leakage H2 2023 A BRIEF��� OVERVIEW OF MAIN INCIDENTS IN INDUSTRIAL CYBERSECURITY 32 2024 AO KASPERSKY LAB The forensic investigation identified that data was accessed and exfiltrated(removed)from the network.To contain the incident,the technolo
236、gy team disconnected the network from the interne���t,resulting in the disconnection of all external communications,including those required for land-side port operations.The company worked with the Australian Signals Directorate/Australian Cyber Security Centre,the National Cyber Security Coordi�����nator,
237、the Minister for Home Affairs and Cyber Security,the Minister for Infrastructure,Transport and Regional Development,and the Australian Federal Police.Full operations across the terminals resumed on November 13.By 20 November,some seven days after port operations recommenced a�����nd 10 days after first d
238、etecting the incident,DP World Australia cleared 100%of the backlog,comprising some 30,137 containers.A company spokesman told the Financial Review that the company did not receive a ransom demand and that it didnt foresee������ a need to pay extorti���������on money.DP World Australias investigation confirmed tha
239、t the incident was confined to Australian o������perations and did not impact any other markets where DP World operates.It also confirmed that no ransomware was found or deployed within the DP World Australia network(no r���������ansomware executables,no encrypted files,and no ransom demands).Some company files we
240、re accessed by the unauthorized third pa����rty and a small amount of data was exfiltrated from the DP World Australia network.The impacted data includes the personal information of current and previous employees of DP World Australia.DP World Australia notified impacted individuals.Guyamier hit by rans
241、omware French transport and logistics company Groupe Guyamier comprising several transport companies was affect��������ed by a cyberattack on November 29,resul������ting in the loss of access to customer files,emails,and computer files.A crisis unit was set up to try to maintain activity,while the server was“full
242、y hacked”and a ransom demand was received without a specified amount.According to telephone comments to local press,the company was unable to���� contact its customers because it couldnt retrieve its order files or messages.The company isolated the affected systems to prevent the spread of the ransomwar
243、e.The company switched to manual operations in order to continue operating without affecting customers.Transportation,logistics Data loss,denial of service Ransomware H2 20���������23 A BRIEF OVERVIEW OF MAIN INCIDENTS IN INDUSTRIAL CYBERSECURITY 33 2024 AO KASPERSKY LAB Food&beverages Campbell Soup hit by c
244、yberattack U.S.food manufacturer Campbell Soup Co.discovered a cyber-intrusion in part of its IT network during the end of its fiscal fourth quarter,according to a disclosure������ in its annual report filed with the Securities and Exchange Commission.(The companys fiscal fourth quarter ended July 30 and
245、news of the attack surfaced on August 3.)The attack had a limited impact on the companys business and was not�������� material to the companys finan�����cial results or operations,according to the SEC disclosure.The company said it took immediate steps to investigate,contain,and eliminate the threat,hired third-
246、party cybersecurity experts and notified federal law enforcement.According t����o a report by WTOL,Campbell Soup disclosed an“IT-related complication”at a factory in Napoleon,Ohio.The company told the station that impacted systems had been restored.The Toledo Blade reported the plant was offline for thr
247、ee days,with some production lines halted and employees temporarily sent home.Yakult Australia hit by cyberattack Probiotic drinks manufacturer Yakult Australia confirmed experiencing a cyber-incident in a statement to BleepingComputer and on its website on December 23 that impac������ted the IT systems o
248、f its business in New Zealand and Australia.Company�������� representative said that they first became aware of the cyber-incident on December 15.The company said it was working with cyber-incident experts to investigate the extent of the incident.Yakult Australia notified the Australian Cyber Security Cent
249、re,the New Zealand National Cyber Security Centre,the Office of the Australian Information Commissioner,and the Office of the Privacy Commissioner New Zealand.The group that claimed responsibility for the breach is������ DragonForce(aka DragonLeaks).It listed Yakult Australia on its onion leak site on Dec
250、ember 20,later publishing 95.19 GB of data.A sample of leaked data was analyzed by ABC,where it found company records dating b����ack to 2001.The cache included sensitive employee information,including scans of passports and drivers licenses,and pre-employment information.Manufa�������cturing,food&beverage Den
251、ial of IT systems,denial of operations Manufacturing,food&beverage Denial of IT systems,data leakage H2 2023 A �������BRIEF OVERVIEW OF MAIN INCIDENTS IN INDUSTRIAL CYBERSECURITY 34 2024 AO KASPERSKY LAB Oil&gas BAZAN Group hit by DDoS attack On July 30,Israels largest oi����l refinery operator,BAZAN Group,exp
252、erienced a DDoS attack,causing its website to be inaccessible from most parts of the world.Iranian hacktivist group Cyber Avenge������rs(aka CyberAv3ngers)claimed responsibility and leaked screenshots of the refinerys SCADA systems.BAZAN denied the leaked materials,labeling them as“entirely fabricated.”Th
253、ey reported no damage to ���their servers or assets,and their cybersecurity measures are vigilant,working closely with the Israeli National Cyber Directorate.The hacktivist group also implied that they breached the refinery via a Check Point firewall,but the cybersecurity company denied any vulnerabili
254、ty.The Cyber Avengers previously claimed responsibility for the 2021 fires and attacks on Israeli railway stations.Shipbuilding Austal USA hit by ransomware At t�����he beginning of December,Australian-based U.S.defense cont�����ractor Austal USA specializing in the production of advanced high-tech ships conf
255、irmed a cyberattack after the Hunters International ransomware gro������up listed the company and shared samples of the stolen data as proof.Austal USA stated that they quickly managed to detect the incident and localize its consequences,which,according to official data,did not affect operational activiti
256、es.It also stated that no personal or classified information was accesse��������d or taken by the threat actor.The FBI and U.S.Naval Criminal Investigative Service(NCIS)joined the investigation of the incident and extent of information accessed.Hunters International threatened the publication of the stolen
257、data,including certification,personnel,financial,and engineering docume�������ntation.Oil������&gas Denial of service Hacktivism Manufacturing,shipbuilding H2 2023 A BRIEF OVERVIEW OF MAIN INCIDENTS IN INDUSTRIAL CYBERSECURITY 35 2024 AO KASPERSKY LAB Metallurgy Rhr+Stolberg GmbH hit by ransomware German metal p
258、rocessing company Rhr+Stolberg GmbH became a victim to a ransomware attack on October 20.The companys������� IT team and a team of external specialists managed to restart the servers within a week,which meant that����� a large part of operations,including production,became operational.At the time of the announc
259、ement,the systems remained disconnected from the internet.Communications with customers,����suppliers and service providers was guaranteed via secure computers that were located outside o�����f the potentially affected environment.The police and data protection authorities were informed about the incident.Rh
260、r+Stolberg does not rule out the possibility that cybercriminals stole the companys data.The LockBit ransomware gang listed ����Rhr+Stolberg on their site.Construction Verhelst Groep hit by cyberattack Belgian construction company Verhelst Groep fell victim to a cybe�����rattack according to the message on i
261、ts website published on October 18.It notified that their general operations were affected.The company could no longer communicate with cu����stomers and lost overview of stock and transport.Some of the staff had to stay at home,and a team from State Security arrived on site and started working together
262、 with the IT team and other professional organizations.Gradually,they managed to start up new software and recover data from th���eir own cloud.The Falcon ransomware gang listed the company on their website.BAUER Group hit by cyberattack German construction company Bauer AG was the target of a cyberatt
263、ack,which was announced on October 31.According to the statement,�����despite the considerable security measures,unknown persons managed to access the companys servers,leading to various systems of the company being shut down or switched off as a precaution on October 30,2023.Among other things,this also
264、 affected the groups websites.Bauer called in additional experts who analyzed the situation together with the IT department.Manufacturing,metallurgy Denial of opera�����tions Ransomware Construction Denial of service and operations Ransomware Construction Denial of IT systems and service H2 2023 A BRIEF
265、OVERVIEW OF MAIN INCIDENTS IN INDUSTRIAL CYBERSECURITY 36 2024 AO KASPERSKY LAB Consequently,re������strictions were put in place for the business partners of BAUER Group companies worldwide.Bauer informed the responsible authorities about the incident.The company worked at full speed to find a solution a
266、nd restart the systems,and asked all affected business partners for their understanding for any disruptions.On December 13,the company published an update stating that all operations had been resumed.Koh B������rothers Eco hit by ransomware Singaporean construction company and sustainable engineering solu
267、tions provider Koh Brothers Eco Engineering was the target of a cyberattack in which the ������servers in certain subsidiaries of the company were subjected to unauthorized access and encryption.While the investigation indicated that the incident was under control,the company said on December 4 that it wa
268、s unable to assess the extent of the impact of the cyberattack on the group and its operations.The groups business continued to be operational notwithstanding the incident.The company noted that it took prompt steps to contain the incident,in�����cluding disconnecting the affected serv������ers from the networ
269、k and preventing further unauthorized access to its IT network.The group additionally engaged incident response experts and external legal counsel to assess,respond to,and manage the incident.Other Freeport-McMoRan hit by cyberattack Freeport-McMoRan(FCX),an internat�����ional mining company headquartere
270、d in the U.S.,fell victim to a cyberatt�������ack as announced on August 11,2023.The company evaluated the extent of the impact and took proactive measures to address the situation.FCX collaborated closely with third-party cybersecurity experts and law enforcement agencies in its response and was in the pr
271、ocess of planning and implementing transitional solutions to swiftly secure its information systems.Safety and responsible production practices remain top priorities for FCX,but the company acknowledged that a prolonged disruption could potentially impact its future ope������rations.Further details abo�������ut
272、the���� nature and scope of the cyberattack had not been disclosed at the time of publ������ication.Construction Denial of IT systems Ransomware Mining Denial of operations H2 2023 A BRIEF OVERVIEW OF MAIN INCIDENTS IN INDUSTRIAL CYBERSECURITY 37 2024 AO KASPERSKY LAB Japan Aerospace Exploration Agency hit by
273、 cyberattack The Japan Aerospace Exploration Agency(JAXA)was the target of a cyberattack over the summer as reported by The Japan News.Law enforcement notified JAXA that their systems had been compromised in autumn and no details were provi�����ded about exactly when the attack occurred.Confirming the in
274、filtration,Chief Cabinet Secretary of Japan revealed in a press conference that the attackers gained access to the agencys Active Directory(������AD)server,a crucial component overseeing JAXAs network operations.In respo����nse to the incident,JAXA worked with government cybersecurity experts and law enforcem
������275、ent as part of an ongoing investigation to determine the extent of the security compromise.Although no data leak linked to the JAXA breach had been confirmed,a JAXA official expressed concerns,stating that“as long as the AD server was hacked,it was very likely that most of the informa����tion was visibl
276、e.”A local media outlet,Nippon,reported that the������� hackers allegedly ex�������ploited a vulnerability disclosed by a network equipment manufacturer in June 2023,citing sources within the agency.The manufacturers name wasnt mentioned.During the investigation,the agency temporarily shut down a part of its netw
277、ork to assess the extent of the incident.An official at the agency said no data leaks had been confirmed so far.JAXA did not respond to a request for comment.Aerosp����ace Denial of IT services H2 2023 A BRIEF OVERVIEW OF MAIN INCIDENTS IN INDUSTRIAL CYBERSECURITY 38 2024 AO KASPERSKY LAB Kaspersky Indu
278、strial Control Systems Cyber Emergency Response Team(Kaspersky ICS CERT)is a global Kaspersky project aimed at coordinating the efforts of automation system vendors,industrial facility owners and operators,and IT security researchers to protect industrial enterprises from cyberattacks.Kaspersky ICS CERT devotes its efforts primarily to identifying potential and existing threats that target industrial automation systems and the indust������rial inter�����net of things.Kaspersky ICS CERT ics-
sgpjbg002
工作日 8:30 - 17:30
会员动态:
报告分类
新质生产力
ChatGPT
新能源汽车
大模型
Sora
机器人
微短剧
芯片
薪酬
白皮书
低空经济
数据要素
创新药
人工智能
AI产业
信息科技
互联网
消费经济
汽车交通
电商零售
传媒娱乐
医药健康
投资金融
能源环境
地产开发
传统产业
全球化
其它
扫码登录
手机快捷登录
账号登录
