Johnson Controls struck by Dark Angels ransomware hackers, experiences disruption

Dark Angels ransomware attackers have targeted Johnson Controls, a building automation company, resulting in significant disruptions for the company. Reports suggest that the ransom note links to a negotiation chat where the ransomware gang demands US$51 million to provide a decryptor and to delete stolen data.

Confirming the cybersecurity incident in an SEC Form 8-K filing, Johnson Controls said that ‘the incident has caused, and is expected to continue to cause, disruption to parts of the Company’s business operations.’

The company said that it has experienced disruptions in portions of its internal information technology infrastructure and applications resulting from a cybersecurity incident. “Promptly after detecting the issue, the Company began an investigation with assistance from leading external cybersecurity experts and is also coordinating with its insurers.” 

It added that it continues to assess what information was impacted and is executing its incident management and protection plan, including implementing remediation measures to mitigate the impact of the incident, and will continue taking additional steps as appropriate. 

“To date, many of the Company’s applications are largely unaffected and remain operational. To the extent possible, and in line with its business continuity plans, the Company implemented workarounds for certain operations to mitigate disruptions and continue servicing its customers,” the filing added. “The Company is assessing whether the incident will impact its ability to timely release its fourth quarter and full fiscal year results, as well as the impact to its financial results.”

Yesterday, a source told BleepingComputer that Johnson Controls suffered a ransomware attack after initially being breached at its Asia offices. The news site has since learned that the company suffered a cyberattack over the weekend that caused the company to shut down portions of its IT systems. Since then, many of its subsidiaries, including York, Simplex, and Ruskin, have begun to display technical outage messages on website login pages and customer portals.

Additionally, BleepingComputer has been told that the ransom note links to a negotiation chat where the ransomware gang demands $51 million to provide a decryptor and to delete stolen data. The threat actors also claim to have stolen over 27 TB of corporate data and encrypted the company’s VMware ESXi virtual machines during the attack.

“We are currently experiencing IT outages that may limit some customer applications such as the Simplex Customer Portal,” reads a message on the Simplex website. “We are actively mitigating any potential impacts to our services and will remain in communication with customers as these outages are resolved.”

Customers of York, another Johnson Controls subsidiary, report that they are being told the company’s systems are down, with some stating they were told it was due to a cyberattack.

“Their computer system crashed over the weekend. Manufacturing and everything is down,” a York customer posted to Reddit. “I talked to our rep and he said someone hacked them,” posted another customer.

Security expert Graham Cluley noted in a Bitdefender blog that as such, the Dark Angels ransomware gang may have bitten off more than they can chew by targeting a company like Johnson Controls. “It’s very likely that law enforcement agencies will put considerable effort into attempting to identify those responsible for the attack and bring them to justice.”

He added that his “hunch is that the Dark Angels group were being rather optimistic when in their extortion message to Johnson Controls they insisted that ‘co-operating with the FBI, CISA, and so on and involving their officers in negotiations’ was ‘strictly forbidden’ and would result in them ending negotiations and result in all of the leaked data being published for free.”

Cluley also identified that “if a whopping $51 million ransom is not paid, Dark Angels say that the stolen data will be published on the ‘Dunghill Leaks’ site.”

Commenting on the Johnson cybersecurity incident, Grant Geyer, chief product officer of Claroty, wrote in an emailed statement that “as we have seen with so many ransomware attacks – an attack against an organization’s IT network can affect an organization’s production capability.” 

“In some cases – like the Colonial Pipeline attack in 2021 – if an organization cannot positively assert that the industrial control network wasn’t impacted, they may need to shut down production due to safety concerns,” according to Geyer. “In other cases – such as this ransomware attack against Johnson Controls – the interdependence between IT and OT systems create a consequential failure impacting operations. As organizations continue to leverage the need for greater interconnectivity to drive competitive advantages, these digital risks will only continue to increase.” 

Geyer added that as the ultimate goal of any organization is to maximize business outcomes, digital transformation and OT/IT/cloud convergence are critical to gaining a competitive advantage in the marketplace. “However, enterprises need to heed events like this as a reminder that the soft underbelly of digital transformation is digital risk.” 

“The key is for modern enterprises to drive convergence and transformation in ways that responsibly mitigate cyber risk with compensating controls – such as network segmentation,” Geyer further commented. “Convergence enables digital transformation and the ability to harness the power of the cloud – so it’s important and we shouldn’t avoid it, but it needs to be done with very careful consideration, decision-making, and strategic segmentation.” 

Tom Kellermann, senior vice president of cyber strategy at cybersecurity company Contrast Security, wrote in an emailed statement that “VMWare ESXi servers have long been a favorite exploitable target for Russian and Chinese cybercrews.” 

“Johnson Controls is widely used in many critical infrastructures and this attack will systemically impact sectors from transportation to energy to defense,” Kellermann pointed out. “This is a significant destructive attack which will be felt for months. I am concerned about the impending second stage of this attack, especially if the miscreants use Johnson Controls infrastructure to launch subsequent destructive attacks.”

On Wednesday, the Federal Bureau of Investigation (FBI) published a Private Industry Notification (PIN) highlighting emerging ransomware trends that are impacting the same victims and identified data destruction trends. As of July this year, the FBI noted that these new trends included multiple ransomware attacks on the same victim in close date proximity and new data destruction tactics in ransomware attacks.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.