Full Report
Energy contractor ENGlobal reported that sensitive personal data was stolen by threat actors, with the incident disrupting operations for six weeks
Analysis Summary
# Incident Report: ENGlobal Cyber-Attack Leading to Data Exfiltration and Operational Disruption
## Executive Summary
US energy contractor ENGlobal suffered a cyber-attack in November 2024, which was publicly disclosed via an SEC filing dated January 27, 2025. The incident involved unauthorized access leading to the exfiltration of sensitive personal data and the disruption of crucial operational business applications for approximately six weeks. The company has since restored affected systems, expelled the threat actor, and is proceeding with required regulatory notifications.
## Incident Details
- **Discovery Date:** December 2, 2024 (Date of initial SEC notification)
- **Incident Date:** November 2024
- **Affected Organization:** ENGlobal (US energy contractor serving energy sector clients and US government agencies, including DoD and DoE)
- **Sector:** Energy/Critical Infrastructure (Automation and Control Systems)
- **Geography:** USA
## Timeline of Events
### Initial Access
- **Date/Time:** November 2024 (Attack occurred sometime during this month)
- **Vector:** Not explicitly stated, but the initial notification suggested unauthorized access and data encryption, strongly implying a ransomware-related intrusion.
- **Details:** Threat actor illegally accessed a portion of ENGlobal's IT system.
### Lateral Movement
- **Details:** The threat actor gained access to systems containing sensitive personal information and was able to cause operational disruption lasting approximately six weeks.
### Data Exfiltration/Impact
- **Details:** Sensitive personal data was confirmed to have been stolen (exfiltrated). Additionally, business applications supporting operations and corporate functions, including financial and operating reporting systems, were disrupted.
### Detection & Response
- **How it was discovered:** The incident was discovered sometime prior to December 2, 2024.
- **Response actions taken:** ENGlobal notified the SEC on December 2, 2024. They engaged cybersecurity experts, restored all disrupted business applications (fully restored after ~six weeks), and believe the threat actor no longer has access to the IT system. Affected individuals and regulatory agencies will be notified.
## Attack Methodology
- **Initial Access:** Unspecified, but correlated with initial encryption suggesting ransomware/intrusion.
- **Persistence:** Unspecified.
- **Privilege Escalation:** Unspecified.
- **Defense Evasion:** Unspecified.
- **Credential Access:** Unspecified.
- **Discovery:** Unspecified.
- **Lateral Movement:** Achieved access to systems containing sensitive personal information and operational applications.
- **Collection:** Sensitive personal data was collected and exfiltrated.
- **Exfiltration:** Sensitive personal data was stolen.
- **Impact:** Operational disruption (business applications offline for six weeks) and data breach.
## Impact Assessment
- **Financial:** Company believes the incident will not have a material impact on its financial condition or results of operations. (No specific cost provided).
- **Data Breach:** Sensitive personal information was stolen. The type and volume were not disclosed publicly.
- **Operational:** Significant disruption to business applications supporting operations and corporate functions (including financial/reporting systems) lasting approximately six weeks.
- **Reputational:** Public disclosure via SEC filing; impacts perception given ENGlobal's role in critical infrastructure.
## Indicators of Compromise
*IOCs are not detailed in the provided text.*
- **Network indicators:** None provided (Defanged).
- **File indicators:** None provided.
- **Behavioral indicators:** Ransomware encryption activity suspected based on initial SEC notification context.
## Response Actions
- **Containment measures:** Company believes the threat actor no longer has access to its IT system.
- **Eradication steps:** Not detailed, but access cessation suggests successful removal protocols were executed.
- **Recovery actions:** All impacted operational and corporate business applications (financial/reporting systems) have been fully restored. Working with cybersecurity experts for future prevention.
## Lessons Learned
- The incident underscores the high risk of cyber threats targeting critical infrastructure organizations, often via the supply chain (as noted in context reports regarding other energy firms).
- Reliance on core operational systems for extended periods without full redundancy created a six-week operational disruption.
## Recommendations
- Enhance network segmentation, particularly protecting systems housing sensitive personal information.
- Review and augment the organization’s detection and response capabilities, given the multi-week operational impact.
- Continue investments in third-party risk management, as supply chain risk is a prevalent vector in this sector.