News

ThyssenKrupp suffers ransomware attack for the third time

The Germany-based international engineering and materials corporation, ThyssenKrupp has been a victim of repeated cyberattacks from threat actors in a short period of time.

Three distinct ransomware groups managed to breach the systems of ThyssenKrupp between August 2020 and December 2020.

The €28.89 billion conglomerate employs over 100,000 employees worldwide and is probably most recognized by its logo embossed on elevators and escalators.

Latest victim: ThyssenKrupp Materials North America

In January 2021, a ThyssenKrupp subsidiary has revealed that they were a victim of a ransomware cyberattack, and that lead to encryption of its servers and employee workstations.

On December 28, 2020, ThyssenKrupp Materials group of companies based in U.S. and Canada were breached by the threat actors who managed to access sensitive HR information and documents about the company’s current and former employees.

The confidential information accessed by the attackers included the SSN and bank account information of employees.

“The information we maintain about you may include one or more of the following: name, address, social security number,
birthdate, direct deposit information, payroll information, health information, and contact information,” reads a data breach notice issued by the company.

Security Report reached out to ThyssenKrupp Materials NA for a statement and we were told:

“thyssenkrupp Materials Services in North America received a ransomware threat. The Company immediately took responsive steps to address the incident.”

“To protect data security, we generally do not provide specific details about our security precautions. As with other global companies, we continuously monitor and manage cybersecurity threats,” a ThyssenKrupp spokesperson told Security Report.

Further investigation by Security Report revealed that NetWalker ransomware group is behind this latest cyberattack on ThyssenKrupp Materials NA.

Image: NetWalker’s now-seized PR site lists ThyssenKrupp Materials NA

We analyzed a very small part of the leaked data dump published by threat actors on the Netwalker leak site.

Also present in the archive were military contracts made with BOEING, invoices, and documents mentioning Rolls Royce, Panasonic, and other companies, non-disclosure agreements (NDAs), and several other legal documents.

NetWalker’s parting gift

NetWalker ransomware operation began around late 2019 and is suspected of generating over $25 million in five months from ransom payments.

Last week, law enforcement authorities including those in Bulgaria and the FBI seized NetWalker’s Tor payment and data leak sites, which now show a seizure notice, as reported by BleepingComputer.

ThyssenKrupp Materials NA appears to be one of the latest victims that the NetWalker group managed to breach before their sites’ seizure.

While the group’s online presence has been wiped clean by the law enforcement authorities, it remains unknown if the NetWalker group will return in the foreseeable future.

In August 2020, ThyssenKrupp System Engineering was hit by the Mount Locker group.

By December 2020, Mount Locker’s leak site started publishing the data they had collected and encrypted from the breached systems.

Image: Mount Locker had previously hit ThyssenKrupp System Engineering

Around September 2020, the Conti ransomware group also claimed they had attacked ThyssenKrupp Holding, however, the documents leaked by the group appeared to have come from ThyssenKrupp’s Canadian subsidiary, making the group’s claims disputable.

In 2016, ThyssenKrupp systems were compromised by Asian hackers who stole technical trade secrets from the German engineering giant.

The repeated attacks on ThyssenKrupp and its subsidiaries by threat actors reiterate the need for stepping up cybersecurity efforts especially at mission-critical organizations like ThyssenKrupp that are known to regularly trade with military and defense clients.

As a result of this cyberattack, ThyssenKrupp Materials NA is offering credit monitoring service at no cost to the impacted employees via TransUnion’s myTrueIdentity service.

The company requests that any questions not be directed to their HR department and has setup toll-free numbers for assistance:

“If you have additional questions or concerns regarding this incident, please call 800-475-1420, Monday through Friday from 9:00 a.m. to 9:00 p.m. Eastern Time.”

“If you have questions regarding enrollment in the credit monitoring service, please call 1-855-288-5422, Monday through Friday from 9:00 a.m. to 7:00 p.m. Eastern Time. Please have your activation code ready.”

“PLEASE DO NOT CONTACT HR with questions,” continues the data breach notice issued by ThyssenKrupp Materials NA.

Ax Sharma

Ax Sharma is an Indian-origin British security researcher, journalist and TV subject matter expert with a focus on malware analysis and cybercrime investigations. His areas of interest include open source software security, threat intel analysis, and reverse engineering. Frequently featured by leading media outlets like the BBC, Channel 5, Fortune, WIRED, The Register, among others, Ax is an active community member of the OWASP Foundation and the British Association of Journalists (BAJ).

Recent Posts

Sea Turtle Cyber Espionage Campaign Targets Telecommunication and IT Companies in the Netherlands

Telecommunication, media, internet service providers (ISPs), information technology (IT)-service providers, and Kurdish websites in the…

12 months ago

Rogue WordPress plugin: Threat hunters uncover credit card skimming campaign targeting e-commerce sites

Rogue WordPress Plugin Found to Steal Credit Card Information in Magecart Campaign Threat hunters have…

12 months ago

Albanian Parliament and telco ‘One Albania’ suffer cyber attacks

The Assembly of the Republic of Albania and telecom company One Albania have recently fallen…

12 months ago

Carbanak Banking Malware Resurfaces with Updated Tactics in Ransomware Attacks

The banking malware Carbanak has resurfaced with updated tactics, incorporating attack vendors and techniques to…

12 months ago

Theme park giant Parques Reunidos hit by a ransomware cyber attack

One of the world's largest theme park operators, Parques Reunidos has disclosed a cybersecurity incident.…

2 years ago

Phishing kit screenshots your email domain on the fly to appear real

Phishing kit used by multiple hacked sites generates a log in page on the fly…

2 years ago

This website uses cookies.