Swiss
electrification
and
automation
technology
giant
ABB
confirmed
it
has
suffered
a
data
breach
after
a
ransomware
attack.
ABB
has
more
than
105,000
employees
and
has
$29.4
billion
in
revenue
for
2022. On
May
7,
2023,
the
Swiss
multinational
company,
leading
electrification
and
automation
technology
provider,
suffered
a
cyber
attack
that
reportedly
impacted
its
business
operations.
The
news
of
the
attack
was
first reported by
BleepingComputer,
which
is
aware
that
the
attack
impacted
the
company’s
Windows
Active
Directory,
with
hundreds
of
devices
that
were
infected.
BleepingComputer
reported
that
the
attack
was
carried
out
by
the Black
Basta
ransomware
group,
some
of
the
projects
were
delayed
and
the
attack
impacted
some
of
the
company
factories.
However,
Black
Basta
did
not
add
the
name
of
the
company
to
its
leak
website,
a
circumstance
that
suggests
that
there
is
an
ongoing
negotiation,
or
that
they
paid
the
ransom
as
reported
by
the
popular
cybersecurity
expert
Kevin
Beaumont.
Once
discovered
the
security
breach,
ABB
closed
VPN
connections
with
its
customers
to
prevent
the
threat
from
spreading.
According
to
a
press
release
published
by
the
company,
threat
actors
had
unauthorized
access
to
certain
ABB
systems,
deployed
a
ransomware
payload,
and
stole
certain
data.
“ABB
has
determined
that
an
unauthorized
third-party
accessed
certain
ABB
systems,
deployed
a
type
of
ransomware
that
is
not
self-propagating,
and
exfiltrated
certain
data.
The
company
is
working
to
identify
and
analyze
the
nature
and
scope
of
affected
data
and
is
further
assessing
its
notification
obligations.”
reads
the
press
release.
“ABB
will
communicate
with
affected
parties
where
necessary,
including,
for
example,
specific
customers,
suppliers,
and/or
individuals
where
personally
identifiable
information
was
affected.”
ABB
added
that
the
investigation
is
still
ongoing
and
that
it
is
working
with
cybersecurity
experts
to
determine
the
extent
of
the
impact.
ABB
confirmed
that
the
attackers
accessed
portions
of
its
network
and
deployed
a
human-operated
ransomware
to
steal
certain
data.
The
attackers
had
access
to
a
limited
number
of
servers
and
endpoints.
The
company
has
fully
recovered
from
the
security
breach,
all
factories
are
operating.
“All
of
ABB’s
key
services
and
systems
are
up
and
running,
all
factories
are
operating,
and
the
company
continues
to
serve
its
customers.
The
company
also
continues
to
restore
any
remain-
ing
impacted
services
and
systems
and
is
further
enhancing
the
security
of
its
systems,”
continues
the
press
release.
The
company
will
share
information
regarding
the
incident,
including
indicators
of
compromise.
Black
Basta
has
been
active
since
April
2022,
like
other
ransomware
operations,
it
implements
a
double-extortion
attack
model.
In
November
2022,
Sentinel
Labs
researchers reported having
found
evidence
that
links
the Black
Basta ransomware
gang
to
the
financially
motivated
hacking
group
FIN7.
In
November
2022,
experts
at
the
Cybereason
Global
SOC
(GSOC)
team
observed
a
surge
in Qakbot infections
as
part
of
an
ongoing
aggressive
Qakbot
malware
campaign
that
leads
to Black
Basta
ransomware infections
in
the
US.
In
two
weeks,
the
experts
observed
attacks
against
more
than
10
different
US-based
customers
The
attack
chain
starts
with
a
QBot
infection,
The
operators
use
the
post-exploitation
tool Cobalt
Strike to
take
over
the
machine
and
finally
deploy
the
Black
Basta
ransomware.
The
attacks
began
with
a
spam/phishing
email
containing
malicious
URL
links.
The
researchers
noticed
that
once
obtained
access
to
the
network,
the
threat
actor
moves
extremely
fast.
In
some
cases
observed
by
Cybereason,
the
threat
actor
obtained
domain
administrator
privileges
in
less
than
two
hours
and
moved
to
ransomware
deployment
in
less
than
12
hours.
In
April
2023,
the
ransomware
group hit
the
UK
outsourcing
giant
Capita.
Follow
me
on
Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ABB)
Share
On
About Author
