Johnson Controls Ransomware Hijack Could Contain Sensitive DHS Information

Johnson Controls has been hit by a king-size ransomware attack that shut down some of its IT systems and disrupted certain operations.

The Dark Angels hacking crew is said to have orchestrated the attack on the prominent maker of industrial control systems. The ransomware gang is demanding $51 million to provide a decryptor and to delete stolen data, BleepingComputer, which first disclosed the incident, reported. The digital hijackers claim to have pilfered some 27 terabytes of data and encrypted the company’s ESXi servers in the attack.

DHS Data Stolen?

Of particular concern, the data trove might contain sensitive Department of Homeland Security (DHS) data revealing security information on third-party contracts along with physical floor plans of certain agency facilities, CNN reported.

According to internal DHS correspondence reviewed by CNN, it’s unclear if confidential data held by Johnson Controls has been stolen by the Dark Angels or other digital hijackers.

“Until further notice, we should assume that [the contractor] stores DHS floor plans and security information tied to contracts on their servers,” the memo said. “We do not currently know the full extent of the impact on DHS systems or facilities.”

Researchers believe that the ransomware used in the attack is fundamentally the same RagnarLocker Linux ransomware developed in 2021, Security Affairs reported.

Johnson Controls said in an 8K regulatory filing with the Securities and Exchange Commission (SEC) that ransomware attackers had struck a number of its systems but many of its applications “remain operational.”

External cybersecurity experts, likely managed security service providers (MSSPs) and perhaps forensics specialists are working along with Johnson Controls’ insurers on the remediation process.

The attack is said to have begun at the company’s Asia offices, reported BleepingComputer, and subsequently spread to its subsidiaries. The cyberattackers reportedly launched the infiltration last weekend.

Johnson Controls Issues Statement on the Cyberattack

The incident is expected to continue to cause disruptions to parts of the company’s business operations, Johnson Control said in the 8K filing, in which the company stated:

"Johnson Controls International plc (the “Company”) has experienced disruptions in portions of its internal information technology infrastructure and applications resulting from a cybersecurity incident. Promptly after detecting the issue, the Company began an investigation with assistance from leading external cybersecurity experts and is also coordinating with its insurers. The Company continues to assess what information was impacted and is executing its incident management and protection plan, including implementing remediation measures to mitigate the impact of the incident, and will continue taking additional steps as appropriate. To date, many of the Company’s applications are largely unaffected and remain operational. To the extent possible, and in line with its business continuity plans, the Company implemented workarounds for certain operations to mitigate disruptions and continue servicing its customers.

At this point, it’s not clear if Johnson Controls will be able to report its fourth quarter and full fiscal year results, along with the financial impact of the attack, Nasdaq reported.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.