Full Report
Building automation giant Johnson Controls is notifying individuals whose data was stolen in a massive ransomware attack that impacted the company's operations worldwide in September 2023. [...]
Analysis Summary
# Incident Report: Johnson Controls 2023 Ransomware Attack and Data Exfiltration
## Executive Summary
Johnson Controls suffered a significant cyberattack in 2023, attributed to the Dark Angels ransomware operation. The attackers gained access, moved laterally, encrypted critical systems including VMware ESXi virtual machines, and exfiltrated over 27 TB of corporate data. The company has incurred at least \$27 million in response costs, with remediation ongoing, highlighting the severe operational and financial impact of the breach.
## Incident Details
- **Discovery Date:** Not explicitly stated, but notification process began in 2023.
- **Incident Date:** Occurred sometime in 2023.
- **Affected Organization:** Johnson Controls
- **Sector:** Manufacturing / Building Automation
- **Geography:** Not explicitly stated, assumed global given company size.
## Timeline of Events
### Initial Access
- **Date/Time:** Not specified within the provided text.
- **Vector:** Implied access was achieved leading to domain controller compromise, though the initial ingress vector is not detailed.
- **Details:** Attackers were able to penetrate the network environment.
### Lateral Movement
- **Details:** Attackers moved throughout the network, ultimately gaining access to the Windows domain controller.
### Data Exfiltration/Impact
- **Details:** Attackers encrypted company systems, specifically targeting and encrypting **VMware ESXi virtual machines**. They exfiltrated an estimated **27 TB of documents** containing corporate data. The incident involved double-extortion tactics, threatening to publish the stolen data.
### Detection & Response
- **How it was discovered:** The breach required the company to initiate notification processes.
- **Response actions taken:** Incident response and remediation efforts were initiated, leading to initial expenses of \$27 million. Response involved managing the ransomware encryption (using both Windows and VMware ESXi encryptors) and handling the exfiltrated data risk.
## Attack Methodology
- **Initial Access:** Not explicitly detailed (implied common methods used by the threat actor).
- **Persistence:** Not explicitly detailed.
- **Privilege Escalation:** Attackers successfully compromised the **Windows domain controller**.
- **Defense Evasion:** Not specified.
- **Credential Access:** Inferred necessary to gain domain controller access.
- **Discovery:** Not specified.
- **Lateral Movement:** Enabled movement to key infrastructure, including the domain controller.
- **Collection:** Over **27 TB of corporate documents** were collected for exfiltration.
- **Exfiltration:** Data was stolen prior to encryption.
- **Impact:** Impact included **data encryption** (targeting Windows and VMware ESXi) and **data theft** via double-extortion.
## Impact Assessment
- **Financial:** At least **\$27 million** incurred in incident response and remediation costs, with expectations for this figure to rise.
- **Data Breach:** Exfiltration of **over 27 TB of corporate documents**.
- **Operational:** Significant operational disruption due to the execution of ransomware, specifically targeting and encrypting **VMware ESXi virtual machines**.
- **Reputational:** The company was forced to begin notifying affected individuals.
## Indicators of Compromise
*(Note: The provided text does not list specific IOCs; these are derived from the known threat actor TTPs mentioned)*
- **Network indicators - defanged:** N/A (No specific domains/IPs provided)
- **File indicators:** Use of encryptors based on leaked **Babuk ransomware** source code (Windows/VMware ESXi), and a Linux encryptor similar to **Ragnar Locker**.
- **Behavioral indicators:** Execution of double-extortion scheme, leading victims to the **"Dunghill Leaks"** dark web site.
## Response Actions
- **Containment measures:** Inferred actions taken to stop the spread of ransomware and manage access post-compromise.
- **Eradication steps:** Steps taken to remove encryption and malware from the environment.
- **Recovery actions:** Ongoing efforts related to system restoration (including encrypted VMs) and remediation, resulting in documented expenses.
## Lessons Learned
- The reliance on older, foundational ransomware code (Babuk) suggests the threat actor prioritizes established, reliable encryption methods.
- The use of specialized encryptors (VMware ESXi) indicates a focus on high-value virtualization infrastructure.
- Security measures failed to prevent the exfiltration of a massive volume of data (27TB).
## Recommendations
- Enhance visibility and segmentation around critical virtualization infrastructure (VMware ESXi hosts).
- Review and strengthen controls around domain controller access and credential hygiene to prevent lateral movement.
- Implement robust data loss prevention (DLP) measures to detect and block large-scale exfiltration attempts exceeding standard operational baselines.