The September 2023 Johnson Controls ransomware attack is now recognized to have had a significant and far-reaching impact, as revealed by internal reports from the global security and smart building automation solutions provider.
This cyber attack wrought havoc, encrypting data and causing widespread shutdowns throughout the company’s IT infrastructure.
According to Bitdefender, the responsibility for this malicious act lies with The Dark Angels ransomware group.
This group has purportedly exfiltrated over 25 terabytes of data from Johnson Controls and is currently demanding a hefty ransom of $51 million.
In the event that this ransom goes unpaid, the group has threatened to release the stolen data on the Dunghill Leaks website.
A statement on the Simplex website, a subsidiary of Johnson Controls, acknowledged the situation, saying:
“We’re currently experiencing IT outages that may limit some customer applications such as the Simplex Customer Portal. We are actively working to mitigate any potential impacts on our services and will maintain communication with our customers as these outages are resolved.”
Johnson Controls is a global company with a workforce of over 100,000 employees.
They specialize in creating industrial control systems, physical security alarm systems, and technology solutions related to facilities.
While the company was originally founded in Milwaukee, it is currently headquartered in Cork, Ireland.
Johnson Controls has significant dealings with U.S. federal agencies and the defense industrial base sector.
The company initially reported the incident in a submission to the Securities and Exchange Commission on September 27th.
In the days that followed, concerns about the situation continued to mount.
In response to the incident, Johnson Controls has chosen not to disclose further details about the event or the ongoing investigation.
Instead, they are referring interested parties to their SEC filing.
However, the company did confirm that they are dealing with what security experts have labeled a ransomware attack.
This attack has caused disruptions to certain parts of their internal IT infrastructure and applications.
As reported by CNN, senior officials within the Department of Homeland Security, who have contractual agreements with Johnson Controls, have been actively evaluating whether the recent attack has put sensitive physical security data at risk.
This encompasses vital information like building floor plans.
A spokesperson from the DHS informed Cybersecurity Dive, stating:
“We are assessing the potential impacts of this incident and implementing additional safeguards to our layered security model. This was not a breach of any DHS network or system.”
Furthermore, the Cybersecurity and Infrastructure Security Agency (CISA) is working closely with Johnson Controls to comprehend the consequences of this incident and offer any necessary assistance.
Gary Barlet, the federal field CTO at Illumio, has drawn attention to the potential consequences for some of the nation’s critical infrastructure, raising a broader concern about the security standards upheld by government contractors.
Barlet conveyed his concerns via email, emphasizing:
“While the government continues to discuss the necessity for government contractors to adhere to minimum security standards, there will be little motivation for vendors to invest in essential security measures until penalties are imposed on those who fail to comply. Accountability is crucial, and it’s time for everyone to take this matter seriously.”
Professionals in the cybersecurity field also weighed in on the incident, with Eric Noonan, CEO of CyberSheath, remarking:
“Organizations of this size, scale, and with deep involvement in the defense industrial base sector are typically expected to have the resources to effectively defend against such attacks. This underscores the imperative to enforce minimum cybersecurity standards throughout the Department of Defense’s global supply chain.”
Noonan concluded by highlighting a significant gap, stating:
“While mandatory minimum cybersecurity requirements are specified in over one million DoD contracts, what’s missing is an enforcement mechanism.”
Johnson Controls has not officially named the party responsible for the attack.
However, Gameel Ali, a threat researcher at Nextron Systems, shared code on social media platform X containing a ransom note that attributes the attack to a group known as Dark Angels Team.
This ransomware group, which first emerged in May 2022, has a track record of creating ransomware variants by modifying leaked or existing code.
Researchers at SentinelOne have observed Dark Angels targeting organizations in healthcare, government, finance, and education sectors in the past.
According to Alex Delamotte, a senior threat researcher at SentinelOne, the ransom note “contains an onion link to the Dunghill Leaks site” which is associated with Dark Angels.
It’s important to note that, as of now, Dunghill Leaks does not display any data connected to Johnson Controls.