Johnson Controls cyberattack disrupting operations, may involve sensitive DHS info

A cyberattack on a building automation giant is having wide-ranging effects extending even to the U.S. government.

On Wednesday, BleepingComputer first reported that Johnson Controls’ offices in Asia were dealing with a ransomware attack. Several subsidiaries of the company, which produces fire, HVAC, and security equipment for buildings, experienced IT outages as officials took systems offline in response to the attack.

The news outlet reported that the Dark Angels ransomware gang took credit for the attack and demanded a $51 million ransom. The company reported revenues of more than $25 billion last year.

In response to The Record, the company sent a statement identical to its regulatory filing with the SEC, which confirmed that it was dealing with a cyberattack.

On Thursday evening, CNN reporters said they obtained an internal memo from the U.S. Department of Homeland Security raising alarm about the incident and warning that the attack on Johnson Controls may have “compromised sensitive physical security information such as DHS floor plans.”

The company allegedly has worked with DHS and is in possession of “classified/sensitive contracts for DHS that depict the physical security of many DHS facilities.”

Senior DHS officials, who did not respond to requests for comment, allegedly said they are trying to figure out whether the hackers accessed the servers that stored the floor plans but worried that the looming U.S. government shutdown would hamper investigative efforts.

Security researchers said Dark Angels is claiming to have stolen 27 terabytes of sensitive data from the company.

In its regulatory filing, the company confirmed that it “experienced disruptions in portions of its internal information technology infrastructure and applications resulting from a cybersecurity incident.”

“Promptly after detecting the issue, the Company began an investigation with assistance from leading external cybersecurity experts and is also coordinating with its insurers,” they wrote, admitting that the incident “is expected to continue to cause disruption to parts of the Company’s business operations.”

The attack on Johnson Controls highlights continued efforts by ransomware gangs to target industrial control companies and critical supply chain organizations.

The European Union Agency for Cybersecurity warned in March that ransomware was the most significant cyberthreat facing the transport sector in the European Union, predicting that gangs would “likely target and disrupt” operational technology (OT) systems “in the foreseeable future,” potentially causing even more significant effects for victims.

Researchers from OT security firm Dragos said the number of ransomware attacks on industrial infrastructure grew significantly in 2022, with the firm tracking more than 600 incidents last year.

“The dramatic spike in OT and ICS cybersecurity incidents calls for organizations to take immediate action to improve their cybersecurity posture or they risk becoming the next victim of a breach," said Sid Snitkin, a vice president at ARC Advisory Group.

“The threat landscape for industrial organizations is constantly evolving, and the cost of a breach can be devastating to organizations and critical infrastructure.”