Johnson Controls International (JCI) has suffered a ransomware attack that encrypted devices and affected internal and partners’ operations.
In a regulatory SEC filing, the industrial control systems manufacturer said its operations were disrupted after a cybersecurity incident affected parts of its information technology infrastructure.
Subsequently, JCI initiated its incident response plan, launched an investigation with external cybersecurity experts, and started coordinating with insurers.
“The Company continues to assess what information was impacted and is executing its incident management and protection plan, including implementing remediation measures to mitigate the impact of the incident, and will continue taking additional steps as appropriate,” Johnson Controls said.
Although “many of the Company’s applications are largely unaffected and remain operational,” the company warned that the incident “is expected to continue to cause disruption to parts of the Company’s business operations.”
Johnson’s subsidiaries, such as Simplex and Ruskin, encountered technical errors impacting their website login pages and customer portals.
“We are currently experiencing IT outages that may limit some customer applications,” Simplex wrote on its website.
Johnson Controls is also assessing whether the cyber attack will hinder the release of its fourth quarter and full fiscal year results or affect its annual financial performance.
DHS investigating the Johnson Controls ransomware attack
On September 28, 2023, CNN reported that the Department of Homeland Security (DHS) is investigating if the data breach “compromised sensitive physical security information,” adding that the company “holds classified/sensitive contracts for DHS” security systems.
The DHS is also investigating whether the ransomware attack leaked any personally identifiable information.
“Their OpenBlue platform is a SaaS application whose users could be targeted from compromised identities that result from this recent attack,” said Lior Yaari, CEO and co-founder of Grip Security. “JCI needs to thoroughly assess what data is at risk and advise its customers whether they may be affected.”
Unable to determine if the contractor stores sensitive DHS floor plans and other sensitive information on the compromised servers, the department is preparing for the worst-case scenario.
Nick Tausek, Lead Security Automation Architect at Swimlane, suggested that the ransomware attack could expose vulnerabilities downstream, potentially leading to supply chain attacks.
“If the exposed data includes source code that could be used to facilitate compromising Johnson Controls products, this breach could result in the discovery of new exploitable vulnerabilities in customers using network-connected Johnson Controls equipment,” noted Tausek.
He advised organizations to adopt “low-code automation” to prevent targeted cyber attacks.
Warning of more potential attacks, Eric Noonan, CEO at CyberSheath, emphasized the “need to enforce minimum cyber security standards across the Department of Defense’s global supply chain.”
“These mandatory minimum cyber security requirements exist in well over 1 million DoD contracts, but what’s missing is an enforcement mechanism,” advised Noonan. “Until the Department of Defense and, frankly, the entire federal government starts enforcing the standards and refusing to award contracts to contractors that don’t meet the minimum standards, we should expect many more of these disruptive attacks.”
Dark Angels Team ransomware gang demands a $51 million ransom
Sources have disclosed that the Dark Angels Team cybercrime gang was responsible for the Johnson Controls ransomware attack and had made outrageous ransom demands.
In a ransom note shared by Nextron Systems security researcher Gameel Ali, the Dark Angels Team gang said it compromised Johnson Controls International’s network infrastructure, exfiltrated critical data, encrypted files, and deleted backups.
Bleeping Computer also reported that the ransomware group stole 27 TB of data and encrypted the company’s VMWare ESXi servers and other devices.
“VMWare ESXi servers have long been a favorite exploitable target for Russian and Chinese cybercrews,” said Tom Kellermann, SVP of cyber strategy at Contrast Security. “Johnson Controls is widely used in many critical infrastructures and this attack will systemically impact sectors from transportation to energy to defense.”
A source told the technology website that the group demanded $51 million for a decryptor and non-release of the stolen data. The source also disclosed that the ransomware attack originated in Asia, where the company had suffered a cyber attack.
Dark Angels Team employs double extortion tactics to pressure its victims into paying the ransom. It primarily targets government, healthcare, finance, and education. In September 2023, the gang claimed to have breached Israel’s Mayanei Hayeshua hospital and exfiltrated 1 terabyte of data.
The cyber gang deploys its payload via Cobalt Strike delivered via exploitation of known vulnerabilities, social engineering, phishing, or malvertising.
Cybersecurity experts suggest the ransomware attack leveraged RagnarLocker or a new variant targeting Johnson Controls. The group’s encryptor is based on the Babuk ransomware source code that appends a “.crypt” file extension to encrypted files.