ThyssenKrupp suffers ransomware attack for the third time

The Germany-based international engineering and materials corporation, ThyssenKrupp has been a victim of repeated cyberattacks from threat actors in a short period of time.

Three distinct ransomware groups managed to breach the systems of ThyssenKrupp between August 2020 and December 2020.

The €28.89 billion conglomerate employs over 100,000 employees worldwide and is probably most recognized by its logo embossed on elevators and escalators.

Latest victim: ThyssenKrupp Materials North America

In January 2021, a ThyssenKrupp subsidiary has revealed that they were a victim of a ransomware cyberattack, and that lead to encryption of its servers and employee workstations.

On December 28, 2020, ThyssenKrupp Materials group of companies based in U.S. and Canada were breached by the threat actors who managed to access sensitive HR information and documents about the company’s current and former employees.

The confidential information accessed by the attackers included the SSN and bank account information of employees.

“The information we maintain about you may include one or more of the following: name, address, social security number,
birthdate, direct deposit information, payroll information, health information, and contact information,” reads a data breach notice issued by the company.

Security Report reached out to ThyssenKrupp Materials NA for a statement and we were told:

“thyssenkrupp Materials Services in North America received a ransomware threat. The Company immediately took responsive steps to address the incident.”

“To protect data security, we generally do not provide specific details about our security precautions. As with other global companies, we continuously monitor and manage cybersecurity threats,” a ThyssenKrupp spokesperson told Security Report.

Further investigation by Security Report revealed that NetWalker ransomware group is behind this latest cyberattack on ThyssenKrupp Materials NA.

We analyzed a very small part of the leaked data dump published by threat actors on the Netwalker leak site.

Also present in the archive were military contracts made with BOEING, invoices, and documents mentioning Rolls Royce, Panasonic, and other companies, non-disclosure agreements (NDAs), and several other legal documents.

NetWalker’s parting gift

NetWalker ransomware operation began around late 2019 and is suspected of generating over $25 million in five months from ransom payments.

Last week, law enforcement authorities including those in Bulgaria and the FBI seized NetWalker’s Tor payment and data leak sites, which now show a seizure notice, as reported by BleepingComputer.

ThyssenKrupp Materials NA appears to be one of the latest victims that the NetWalker group managed to breach before their sites’ seizure.

While the group’s online presence has been wiped clean by the law enforcement authorities, it remains unknown if the NetWalker group will return in the foreseeable future.

In August 2020, ThyssenKrupp System Engineering was hit by the Mount Locker group.

By December 2020, Mount Locker’s leak site started publishing the data they had collected and encrypted from the breached systems.

Around September 2020, the Conti ransomware group also claimed they had attacked ThyssenKrupp Holding, however, the documents leaked by the group appeared to have come from ThyssenKrupp’s Canadian subsidiary, making the group’s claims disputable.

In 2016, ThyssenKrupp systems were compromised by Asian hackers who stole technical trade secrets from the German engineering giant.

The repeated attacks on ThyssenKrupp and its subsidiaries by threat actors reiterate the need for stepping up cybersecurity efforts especially at mission-critical organizations like ThyssenKrupp that are known to regularly trade with military and defense clients.

As a result of this cyberattack, ThyssenKrupp Materials NA is offering credit monitoring service at no cost to the impacted employees via TransUnion’s myTrueIdentity service.

The company requests that any questions not be directed to their HR department and has setup toll-free numbers for assistance:

“If you have additional questions or concerns regarding this incident, please call 800-475-1420, Monday through Friday from 9:00 a.m. to 9:00 p.m. Eastern Time.”

“If you have questions regarding enrollment in the credit monitoring service, please call 1-855-288-5422, Monday through Friday from 9:00 a.m. to 7:00 p.m. Eastern Time. Please have your activation code ready.”

“PLEASE DO NOT CONTACT HR with questions,” continues the data breach notice issued by ThyssenKrupp Materials NA.