On and Off Shore Hacking:
Supply Chain Cyber Developments in 2019
Executive Summary
- Cyber security incidents continue to pose an ever increasing menace to secure and efficient supply chains, with 263% more incidents recorded in 2019 compared to 2018, both in familiar categories such as ransomware, vulnerabilities, data breaches, denial-of-service, and phishing, as well as new ones, such as Advanced Persistent Threats (APTs)
- Of these, vulnerabilities, ransomware and APTs posed the principal threats of 2019, highlighted by incidents such as healthcare product vulnerabilities reported by US DHS, LockerGoga at Norsk Hydro, and Vietnamese and Chinese APTs targeting multinational manufacturers
- The Norsk Hydro case provides a notable learning opportunity for globally operating companies in terms of disclosure and incident response as the ransomware impacted both corporate functions and production across several sites
- The principal threats in 2019 are all likely to worsen in severity in 2020 in light of aging operating systems, ransomware further approximating to productive facilities as well as increasing geopolitical competition
- Companies with sophisticated supply chains should audit, increase visibility, and facilitate communication with supply chain managers and IT professionals to ensure the utmost in cyber defense for the sake of continuity and security
Background
Cyber threats for production, supply chains, and logistics have grown and evolved over the past few years. Greater awareness of such developments, however, has not yet translated into sufficient preparation against this increasing threat.
275 cyber incidents have been recorded by Everstream Analytics just in 2019, of which 237, or 86.1%, were of supply chain relevance. In comparison, 2018 saw only 90 incidents across the full year, as reported by Everstream Analytics. A year-over-year comparison shows a 263% increase in incidents recorded.
The above numbers are an accurate representation of the supply chain cyber threat, which is a fraction of the overall cyber threat. These numbers are reflective of the 5 categories of cyber incident that Everstream Analytics monitors: Data Breaches, Phishing, Ransomware, Vulnerabilities, and Denial of Service.
As the above data shows, Vulnerabilities, Data Breaches, and Ransomware were the most afflictive incidents in supply chain cyber security throughout 2019, each representing a progressing level of severity in supply chain impact.
2019 will come to be defined by 3 categories of threats though: Ransomware, system-paralyzing malware designed to extract a ransom; APTs, broad cyber campaigns often led by nation-states; and Industrial Controller Vulnerabilities, software and hardware flaws that allow hackers entry.
- Ransomware: Ransomware is a form of malware that disables access to and/or threatens to disclose or delete a target’s data in exchange for a ransom payment, often made in cryptocurrency and sometimes yielding little result. Some high profile ransomware incidents seen in 2019 were LockerGoga, which disabled headquarters and production systems at Norsk Hydro in March, and a yet-to-be-identified ransomware that compromised the airport authority responsible for Muhammad Ali International Airport in Louisville, KY in May.
- APT: A single hacker or group of hackers, often receiving the sponsorship of a nation-state such as Russia, China, Iran, North Korea, or Vietnam, that performs an often long and undetected (until the point of action) campaign that is in line with said sponsoring state’s national interest. Examples of APT-related incidents in 2019 was a campaign by OceanLotus, or APT32, against several multinational automotive manufacturers in the Asia-Pacific region, believed to be coordinated in line with the opening of Vietnam’s first domestic automobile factory. Another such threat was Winnti, believed to be coordinated by the Jiangsu Bureau of China’s Ministry of State Security that targeted several manufacturers throughout Europe.
- Industrial Controller Vulnerabilities: Errors in coding present in software and/or devices comprising industrial control systems (ICS) that can allow for a series of malign manipulations of manufacturing systems by remote hackers to the point of damage. Some vulnerabilities have garnered regulatory attention such as the United States Department of Homeland Security (DHS) citing Philips and McKesson for vulnerabilities in cardiology and obstetric devices, respectively.
Further refined, these threats have presented themselves in the following forms throughout the year:
- LockerGoga: A form of ransomware that arose in a series of primarily industrial targets, resulting in several days of halted production and employment furloughs.
- OceanLotus: An APT operating under a series of aliases that grew from a Southeast Asian sociopolitical focus to a threat actor targeting multinational companies in Vietnam, employing a series of attacks ranging from break-ins to data theft and/or corruption.
A recent study by IBM has indicated that logistics actors take an average of 192 days to recognize an incident of cyber abnormality in their systems, and upon discovery, take an average of 60 days to mitigate the risks posed by the abnormality, with end losses to a tune of USD 3.86 million.
While the incidents captured throughout 2019 have yet to reach these levels of severity, ransomware recovery time recorded by Everstream Analytics analysts across logistics companies, producers, and related entities averages 14 days. A persistent and prolonged downtime for each incident has the potential to amplify not only damage, but confidence from customers as well as supply chain partners.
As the above maps show, there are few locations untouched by cyber incidents in 2019. While North and South America, as well as Europe, saw the most severe incidents throughout the year, Asia and the Pacific experienced a number of moderate incidents as well.
A Look Back on 2019
The types of cyber incidents of supply chain significance reported by Everstream Analytics contain considerable learning points, given the evolution of current monitored threats as well as the appearance of newer ones.
As vulnerabilities are gateways for other types of incidents to occur, they can often manifest in conjunction with others, such as data breaches or denial-of-service. The predominant nature of the incident in question, however, will revolve around the vulnerability itself as an antecedent to data breaches or denials-of-service. Others, however, occur within an ecosystem of their own, which is often reflective of an ability to propagate. Ransomware incidents, while capable of occurring in conjunction with phishing incidents, have been observed to be occurring on their own by Everstream Analytics analysts.
Vulnerabilities can often be representative issues to come. In reporting these incidents, a small, yet growing, trend indicates proactive and early patch implementation upon disclosure of such events. What bears consideration, however, is that the detection of vulnerabilities can be the precipice for incident prevention, and can provide insights from the specific avenues affected as well as their possible severity based on the ability to exploit it. In summation, improved monitoring of vulnerabilities for products and components provides a better chance of mitigating them before they worsen and necessitate broader adjustments to one’s supply chain, such as halting production or issuing recalls in order to prevent a product containing vulnerable components from reaching the market.
Ransomware incidents, however, have shown to be not only the most acute of incidents in terms of determining exposure and impact, but also in creating a risk by geographic proliferation. Ransomware has been a concern for those in shipping, logistics, and supply chains for the better part of the decade, most notably due to the ransomware attacks on Maerks in 2017 as well as the attack on COSCO in 2018. Such events of note affecting ocean shipping have yet to occur in 2019, but the threat of ransomware has yet to cease at nodes of transportation. And in contrast to past years, the long-feared manifestations of ransomware affecting production activities have arrived.
Calculating mitigating times for Lockergoga (4 days at Altran and 8 days Norsk Hydro), iEncrypt at Arizona Beverages (30 days), and unknown ransomware at Aebi Schmidt (5 days) and Eurofins Scientific (23 days), our incidents, irrespective of number of physical entities impacted, show a mean ransomware mitigation time of 14 days. While data pertaining to ransomware payouts or other financial burdens are rarely disclosed for the private sector, the longer a firm is afflicted with ransomware, the greater the operational burdens are in order to circumvent it.
Airport-based ransomware continues to provide a source of nuisance at airports, but regardless of duration, the incidents themselves have yet to impact systems crucial to departures and arrivals of aircrafts. As WannaCry introduced named ransomwares to logistics and supply chain industries through its attack on Maersk in 2017, LockerGoga became the named actor of 2019. The ransomware first came to light with an attack on French engineering firm Altran Technologies, which shut down its headquarters and miscellaneous European operations. Lockergoga gained greater attention by March 2019 when it infected the headquarters of aluminum producer Norsk Hydro, before spreading to its production operations throughout Europe, North America, Brazil, and Qatar.
As this report will elaborate, there were warning signs that have grown ever more visible as a result of greater source visibility, thereby permitting preemption of threats.
Case Studies
The risks cyber attacks pose for supply chain operations was brought to the forefront by a number of events in 2019. Some of the most noteworthy ones are illustrated as case studies below.
Rockwell Automation controllers
Industry sources indicated on July 10 that a high-severity vulnerability, titled CVE_2019-10970 with a CVSS score of 7.5/10, was discovered in Rockwell Automation’s PanelView 5510 human-machine interfaces made before March 13 that haven’t been updated to versions 4.003 or 5.002.
The vulnerability permits access to the programmable logic controllers to which the interface will be linked, allowing remote control for malicious purposes. The controllers interacting with the interface are used in critical infrastructure, automotive manufacturing, water systems, as well as food & beverage, among other industries. At the time of the incident, Rockwell advised customers to either update to the latest software version or to block TCP and UDP ports 2222 and 44818 to isolate traffic to the manufacturing zone.
What made this case the archetype for all vulnerability cases was the breadth of its applications as well as a specific isolation of vulnerabilities present in manufacturing systems. More often than not, the vulnerability-related incidents covered by Everstream Analytics, while catalogued according to a universally recognizable standard (i.e. CVE-YEAR-5 digit number), often only briefly touch upon a component. This incident was notable not only in its specification for internet-connected avenues in which a hacker would be able to act on intent.
From a production point of view, in the event of a cyber incident, greater visibility affords supply chain managers greater control to adjust production in order to correct the vulnerability. Beyond production, detection affords supply chain managers the ability to interface with the IT means at their disposal to address the issue. While some incidents can have a patch or remedy readily available, others may take weeks to months for a remedy to be developed by an authoritative source.
Norsk Hydro and LockerGoga
Norsk Hydro, a Norwegian aluminum producer with global operations, was the target of the LockerGoga ransomware on March 19, a new ransomware that debuted 2 months earlier at the French engineering consultancy firm Altran Technologies and was uploaded from a Dutch server the week prior.
The attack on Norsk Hydro started in the United States and subsequently spread across its worldwide IT network overnight, to locations that included Canada, Germany, Denmark, and Norway. The company then took measures to contain the virus by isolating its factories, particularly its rolled aluminum and extruded solutions units, and switching to manual operations and procedures.
On March 20, it succeeded in detecting the root cause of the problems and was said to be working on a plan to restart the company’s information technology systems in a safe and sound manner. The Oslo-based company was able to isolate the program responsible for the ransomware execution on March 21, yet continued to labor for 6 more days at 50% operating capacity in order to fully restore systems to pre-incident operability. Most of the company’s worldwide energy plants and smelters remained largely unaffected by the attack, but were forced to operate manually.
According to industry experts, the LockerGoga malware does not self-propagate, and was not likely to go beyond Norsk Hydro’s internal network. The ransomware is said to be different to the previous industrial cyber-attacks such as WannaCry and Petya because criminals are targeting company networks and synchronizing encryption across their geographical regions to demand ransom from the company. Norsk Hydro’s plan entailed forgoing paying the ransom and opting to restore its systems from backup servers, the only alternative to regain access to data and applications. It was this process that, while saving the company on ransomware payments, contributed to the length of restoration given the reach and multitude of countries with systems infected.
What makes this case a model for analysis in comparison with the original LockerGoga victim, Altran, was its propagation, as well as the length of time required to restore operations. A strongly integrated and poorly segmented network can allow a simple ransomware like LockerGoga to propagate with velocity. Furthermore, a lack of strong visibility and supply chain communication in a medium outside of the organic corporate network can make recovery from a ransomware incident even more difficult. While operations are often limited once ransomware attacks occur, a greater understanding of one’s own supply chain and the warning signs preceding it, regardless of supply chain culpability in the event, can make the difference in prevention, continuity, and mitigation.
ASCO Industries ransomware
While Norsk Hydro is exemplary of a Tier 2/3 industry ransomware incident, the ASCO Industries ransomware is exemplary of a ransomware case impacting a Tier 1 aviation and defense firm. On June 7, Zaventem, Belgium-based aeronautical component manufacturer ASCO Industries suffered a then-nondescript cyber security incident that was reported to have impacted its production facilities in Belgium, Germany, Canada, and the US. At the time of reporting, the firm, a notable supplier to Airbus, Boeing, Lockheed Martin, Embraer, and Bombardier did not specify the incident it suffered.
Expressed symptoms, such as temporary dismissal of 1,000 of its employees at its Zaventem headquarters as well as at its Germany, Canada, and US facilities, along with the removal of systems from internet accessibility, appeared to be consistent with a ransomware attack, such as that which impacted Norsk Hydro. The incident in question was confirmed as malicious by Spirit AeroSystems sources on June 11. While upon disclosure, ASCO estimated that its systems would be restored to baseline functionality by June 13, as the week of June 10-14 passed, estimates extended to as late as June 28. As a result, the temporary dismissal effectively evolved into a prolonged, uncompensated furlough for its employees.
Perhaps the more notable point of analysis in this incident is disclosure and its relation to continuity. Norsk Hydro was known within a relatively immediate timeframe to be impacted by the LockerGoga ransomware, one that was somewhat known to the manufacturing world for its January Altran manifestation. As of this writing, like many technical details of this ASCO incident, the name of the ransomware involved is unknown.
During the course of the Norsk Hydro attack, the ransomware was believed to have evaded traditional security. Such information is also absent for ASCO, where researchers are left to interpret DNS traffic to a C2 server to be able to properly attribute the incident. Further information awaiting disclosure is in ASCO’s action plan, whether it elects to acquiesce to the distributor of the ransomware or to reconstruct. While no data was stolen, per the most up-to-date disclosures, the concern at hand, and lesson to derive from this incident, was a lack of supply chain visibility with respect to cyber incidents preventing the ability to stymie the spread of the ransomware beyond its origin.
Winnti (APT 17) and OceanLotus (APT32)
The first incident in this example is an APT called Winnti, also known as APT17, which has been traced to the Jinan Bureau of China’s Ministry of State Security. It was first detected in 2015, yet came to attention in July 2019 with the discovery of its infiltration of several German, Japanese, Swiss, and French manufacturers. The case to be emphasized with Winnti was the July 24 disclosure of its vast infiltration of a multitude of manufacturers, consisting of industries such as plastics, pharmaceuticals, industrial machinery, and airlines, among others. The challenge that this sets bears similarities to the ASCO incident, where a need for proprietary supply chain cyber security is fundamental, with a simultaneous need to cascade down the tiers can help prevent future impacts to production.
Also known as Advanced Persistent Threat (APT) 32, a group of Vietnamese hackers believed to receive non-descript state sponsorship came to the knowledge of those in the cyber intelligence community in 2015. What started out as a means of enforcing information security became a tool of warfare against private enterprises that have hit targets in several countries, and physical installations throughout Southeast Asia. In 2019, the APT came to the attention of Everstream Analytics in an incident that targeted several multinational automotive manufacturers in the country. The incident was believed to coincide with the planned introduction of the first domestically produced sedan by Vingroup.
Outlook and Recommendations
As 2019 draws to a close, we elaborate on the foremost supply chain cyber threats to come for the New Year:
- APTs: Production-targeted APTs have been spotted before by Everstream Analytics, such as the OilRig APT targeting the energy sector in the Middle East. These incidents, however, are unique in the addition of a geopolitical risk factor. While APTs have previously only had financial MOs and targets, a renewed international climate of competition is sure to add cyber risks to export-oriented supply chains in the year to come. This therefore elevates the importance of analyzing if relocation or re-evaluation is necessary for any component or entity in a supply chain. This will provide the ability to gain visibility into incidents at their various stages, but also integrate cyber risk considerations in strategic supply chain decision-making. Locations to consider for cyber risk monitoring in 2020 as a component of supply chain security should include, but not be limited to, Southeast Asia, Northeast Asia, Oceania, Western Europe, and the Persian Gulf, to name a few.
- Ransomware: Ransomware will continue to be the principal cyber threat to supply chain, production, and logistics operations for time to come. Everstream Analytics has seen ransomware get closer to points of production over the years, by starting at logistic nodes and moving into factories, and we can anticipate that the New Year will bring ransomware that comes ever closer to critical points of a supply chain flow for the most damaging impact.
- Vulnerabilities: Vulnerabilities will be a principal point of focus in 2020 as well, especially as manufacturers become more aware of how cyber incidents can evolve from warnings to near-catastrophic occurrences. In particular, since the Windows 7 end-of-life date will be on January 14, 2020, several IoT devices with medical, among other, applications, will be at risk. As further operating systems age, the list of supply chain risk-prone vulnerabilities will be bound to grow. Also, a November warning from the FBI to the automotive industry highlights this point, where brute force hacks may give way to more sophisticated, and therefore more damaging, attacks on manufacturing systems as well as end products.
While data suggests that the quantity of cyber incidents have increased based on a baseline evaluation since 2018, an encouraging development since last year is the increased availability of means to combat the threats. This information often comes available from open and/or official sources, and can be easily cascaded to supply chain managers and IT professionals.
Everstream Analytics offers a 5-step risk evaluation process below to determine how vulnerable your system may be to a cyber incident, and what will be required to mitigate such risks. What must be emphasized this year, however, are the importance of proper analysis and visibility in ensuring that a company is best prepared to perform the first 3 tasks so that the latter 2 may be properly planned.
Based on this model, below are some measures that Norsk Hydro and ASCO applied for the two ransomware incidents we explored in this report:
| NORSK HYDRO | ASCO | |
| Defence | Isolation of networks within 48 hours | Isolation of networks in excess of 168 hours |
| Mitigation | Immediate disclosure | Immediate disclosure, yet no update on type of ransomware |
| Recovery | 6 days | 7+ days |
| Exposure | While widespread, orders were cascaded to isolate as many systems as possible to contain the ransomware’s spread | Communications didn’t begin until preliminary restoration estimates had passed |
| Handling | While production was hit, ransom was not paid | Production suffered as a majority of staff (71.4%) had to be furloughed |
A key takeaway on the ransomware subject is the Norsk Hydro response, and what it tells us as a lesson for those in similar situations. While the incident was devastating for production, reducing output by 6-figures and delaying earnings reports, Norsk Hydro served as a model for early disclosure that was reflective of a transparent effort to communicate what had occurred and what they could do to address the situation. In contrast, the lack of disclosure from ASCO demonstrated a lack of supply chain visibility and an inability to mitigate risks, and threw its credibility into question. As such, the advantage of Norsk Hydro’s strategy to address ransomware was that it would provide greater advantage for those in its supply chain to mitigate risks as early as possible.
Incidents such as these serve as illustrations not only as cases for proper preventive cyber security practices, but also as a case to conduct thorough surveys and audits to obtain visibility and communication to ensure maximum protection in as unified a framework as possible. It is by these means that, while not making ransomware incidents inevitable, can make their impacts less damaging.
Vulnerabilities, as observed by Everstream Analytics, have increasingly disclosed a considerable means of information that can be properly transmitted to supply chain managers as well as IT departments to assess risk. The same poses true for phishing, as most of their indicators are quite transparent, easily communicated, and can be relayed to be blacklisted, ensuring the deepest levels of protection.
Certain risks, however, will be more challenging to mitigate, such as out-of-the-blue data breaches and denials-of-service, due to the element of surprise. With proper visibility and mitigation against the other three major subcategories of cyber attack, however, companies can ensure a robust defense that protects against all but the most unknown of surprises.
As an overall practice, those with broad sourcing networks should consult with their supply chain managers, procurement managers, and IT professionals to formulate the strongest possible defenses in anticipation of ransomware threats to come. For the upcoming year, additional emphasis must be added on thorough auditing and visibility, as this will best ensure that supply chain managers and IT professionals can pre-empt and plan to keep their supply chains up and running in the event of any cyber incident.
Annex
| Affected Entity | Date | Location | Description | Category |
| Titan Manufacturing and Distribution | January 8, 2019 | USA | Data breach of industrial vehicle manufacturer | Manufacturer |
| Oxo International | January 10, 2019 | USA (NY) | Data breach of kitchenware manufacturer | Manufacturer |
| Bel USA | January 10, 2019 | USA (FL) | Data breach of kitchenware manufacturer | Manufacturer |
| Maersk Line | January 17, 2019 | Malaysia | Phishing campaign warning | Seaport/Shipping Line |
| ControlLogix | January 16, 2019 | USA (WI) | Vulnerability in TCP/UDP on industrial controllers | Manufacturer |
| Moxa | January 24, 2019 | Taiwan | Vulnerability in IoT controllers | Manufacturer |
| Port of Rotterdam | January 30, 2019 | Netherlands | Website impersonation warning | Seaport/Shipping Line |
| Altran Technologies | January 24, 2019 | France | LockerGoga ransomware | Manufacturer |
| Eskom | February 7, 2019 | South Africa | Ransomware incident on power company | Utility |
| Allen-Bradley | February 20, 2019 | USA (WI) | 2 vulnerabilities discovered in industrial controllers | Manufacturer |
| Nyrstar | January 23, 2019 | Belgium | Ransomware discovered in zinc maker | Manufacturer |
| Various | March 4, 2019 | China | APT40 | Various |
| Viper | March 8, 2019 | USA (CA) | Vulnerabilities discovered in car alarms | Manufacturer |
| Pandora | March 8, 2019 | Lithuania | Vulnerabilities discovered in car alarms | Manufacturer |
| Citrix | March 11, 2019 | USA (CA) | FBI warns of data breach | Manufacturer |
| Container World | March 12, 2019 | Canada (BC) | Ransomware impersonator hits beverage distributor | Various |
| Kathmandu Holdings | January 8, 2019 | New Zealand | Data breach at outdoor e | Manufacturer |
| LabSat | March 18, 2019 | UK | Spoofing vulnerability discovered in auto GPS | Manufacturer |
| Medtronic | March 22, 2019 | USA (MN) | Vulnerabilities discovered in internal defibrillators | Manufacturer |
| Various | March 22, 2019 | Vietnam | APT32 | Various |
| Hexion | March 25, 2019 | USA (OH) | LockerGoga ransomware at thermoresin company | Manufacturer |
| Momentive | March 25, 2019 | USA (NY) | LockerGoga ransomware at sealant company | Manufacturer |
| Toyota | March 29, 2019 | Australia, Japan, Thailand | Data breach at national headquarters | Manufacturer |
| Bayer | April 4, 2019 | Germany | Cyber incident later discovered to be APT 17 | Manufacturer |
| Arizona Beverages | March 21, 2019 | USA (NY) | Nondescript ransomware incident on beverage manufacturer | Manufacturer |
| Advantech | April 4, 2019 | Taiwan | 3 vulnerabilities discovered in SCADA management software | Software |
| PetroBangla | April 7, 2019 | Bangladesh | Denial-of-service hack at state-owned oil company | Energy Firm |
| Hoya Corporation | April 8, 2019 | Japan, Thailand | Data breach of lens manufacturer | Manufacturer |
| Qualcomm | April 25, 2019 | USA (CA) | Vulnerability discovered in chipsets | Manufacturer |
| Aebi Schmidt | April 23, 2019 | Germany, Switzerland, Netherlands, Norway, Poland, USA (PA, OH, IL) | Production halted by ransomware | Manufacturer |
| Various electrical utilities | March 5, 2019 | USA (CA, UT, WY) | Disruptive cyber event consistent with ransomware | Utility |
| Various electrical utilities | May 2, 2019 | India (TG & AP) | Disruptive cyber event consistent with ransomware | Utility |
| Charles River Laboratories | May 2, 2019 | USA (MA) | Data breach at lab service provider | Service Provider |
| Nivient | May 2, 2019 | USA (CA & MA) | Data breach at customers of lab service provider | Manufacturer |
| Orpak | May 3, 2019 | USA (NC) | Vulnerabilities in gas station software | Software |
| GE | May 6, 2019 | USA (MA) | Vulnerabilities in power meters | Software |
| Pride Power | May 7, 2019 | China (Beijing & Fuyang) | Data breach reported at battery maker | Manufacturer |
| Louisville Muhammad Ali International Airport | May 20, 2019 | USA (KY) | Ransomware attack on airport authority | Airport/Airline |
| B&R Automation | May 30, 2019 | Austria | Vulnerabilities discovered in industrial control components | Manufacturer |
| Eurofins Scientific | June 1, 2019 | Belgium | Ransomware on pharmaceutical testing company | Manufacturer |
| Tecson/GOK | June 11, 2019 | Germany | Vulnerabilities discovered in oil tank software | Manufacturer |
| Perceptics | June 10, 2019 | USA, Canada | Data breach of license plate reader device | Manufacturer |
| WAGO | June 13, 2019 | Germany | Root privilege vulnerabilities in industrial switches | Manufacturer |
| Becton Dickinson | June 17, 2019 | USA (NJ) | Vulnerabilities in infusion pump software | Software |
| A Duie Pyle | June 15, 2019 | USA (PA) | Trucking firm hit by ransomare | Cargo Transporter |
| La Poste | June 21, 2019 | France | French postal service hit in data breach | Government |
| Sonangol | June 10, 2019 | Angola | Denial-of-service at state-owned oil company | Energy Firm |
| Dell | June 21, 2019 | USA (TX) | Vulnerability discovered in pre-installed software | Manufacturer |
| ABB | June 25, 2019 | Switzerland | 12 vulnerabilities patched in HMI products | Manufacturer |
| Huntington Ingalls | June 26, 2019 | USA (VA) | APT10 compromise of shipbuilder | Manufacturer |
| SICK | July 1, 2019 | Germany | Vulnerability in industrial controllers | Manufacturer |
| Orvibo | July 3, 2019 | China | Data breach at IoT manufacturer | Manufacturer |
| Phoenix Contact | July 2, 2019 | Germany, Italy, Turkey, Netherlands, Spain | Vulnerabilities discovered in industrial switches | Manufacturer |
| USCG Inspections and Compliance Directorate | July 9, 2019 | USA | Cybersecurity safety alert | Seaport/Shipping Line |
| Jenkins | July 8, 2019 | USA (OH) | Leak of aerospace manufacturer data | Software |
| Intel | July 9, 2019 | USA (CA) | Siemens vulnerabilities traced back to Intel root | Manufacturer |
| Rockwell Automation | July 10, 2019 | USA (WI) | High severity vulnerability in logic controller | Manufacturer |
| Siemens | July 24, 2019 | Germany | Impacted by Winnti (APT17) hacking group | Manufacturer |
| Schneider Electric | March 20, 2019 | France | Vulnerability discovered in emulator | Manufacturer |
| Wind River Systems | July 29, 2019 | USA (CA) | 11 vulnerabilities discovered in manufacturing operating system | Software |
| Northwood | May 6, 2019 | USA (MI) | Data breach at medical equipment company | Manufacturer |
| BASF | July 24, 2019 | Germany (NW) | Impacted by Winnti (APT17) hacking group | Manufacturer |
| Sumitomo Electric | July 24, 2019 | Japan (Osaka) | Impacted by Winnti (APT17) hacking group | Manufacturer |
| ThyssenKrupp | July 24, 2019 | Germany | Impacted by Winnti (APT17) hacking group | Manufacturer |
| Roche | July 24, 2019 | Switzerland (Basel) | Impacted by Winnti (APT17) hacking group | Manufacturer |
| Shin-Etsu Chemical | July 24, 2019 | Japan (Tokyo) | Impacted by Winnti (APT17) hacking group | Manufacturer |
| Bostik | July 24, 2019 | France (Paris) | Impacted by Winnti (APT17) hacking group | Manufacturer |
| Lion Air | July 24, 2019 | Indonesia (Jakarta) | Impacted by Winnti (APT17) hacking group | Airport/Airline |
| Mitsubishi | July 24, 2019 | Japan (Tokyo) | Impacted by Winnti (APT17) hacking group | Manufacturer |
| NVIDIA | July 23, 2019 | USA (CA) | Vulnerabilities discovered in chipsets | Manufacturer |
| City Power | July 25, 2019 | South Africa (GT) | Power outage induced by ransomware | Utility |
| Blastech Mobile | July 29, 2019 | USA (AL) | Ransomware incident at steel manufacturer | Manufacturer |
| Prima Systems | August 1, 2019 | Slovenia | 4-vulnerabilities in access control systems | Manufacturer |
| Lenovo | July 31, 2019 | China | Ransomware attack on NAS devices | Manufacturer |
| NCEES | August 2, 2019 | USA (SC) | Implicated in phishing campaign targeting utilities | Utility |
| Qualcomm | August 6, 2019 | USA (CA) | WLAN firmware vulnerabilities discovered that compromise Android OS | Manufacturer |
| Boeing | August 8, 2019 | USA (WA) | Crew Information Service/Maintenance System (CIS/MS) vulnerabilities discovered in 737s and 787s | Manufacturer |
| Siemens | August 9, 2019 | Germany | Zero-days discovered in Simatic S7-1500 series of industrial controllers | Manufacturer |
| Air New Zealand | August 9, 2019 | New Zealand | Phishing campaign leads to data breach | Airport/Airline |
| China National Aero-Technology Import and Export Corporation | August 9, 2019 | China | BITTER APT targets 10 sites across China | Other |
| Delta Electronics | August 12, 2019 | Taiwan | Buffer control vulnerability discovered in industrial control systems | Manufacturer |
| Siemens | August 15, 2019 | Germany | Port 23/TCP vulnerabilities discovered in SCALANCE X series switches | Manufacturer |
| Xilinx | August 21, 2019 | US (CA) | Unpatchable vulnerability discovered in system-on-chip boards | Manufacturer |
| McKesson | September 2, 2019 | US (NY) | DHS flags cardiac devices for vulnerabilities | Manufacturer |
| Philips | September 2, 2019 | US (MA) | DHS flags obstetric devices for vulnerabilities | Manufacturer |
| i365-Tech | September 6, 2019 | China | Vulnerability leads to data breach in GPS devices | Manufacturer |
| DK-LOK | September 9, 2019 | South Korea, Canada, US, Iran, Germany, Australia, Russia, Brazil, Israel, Turkey, Italy, New Zealand, Portugal, Egypt | Email platform vulnerability leads to business data disclosure | Manufacturer |
| Siemens | September 11, 2019 | Germany | 14 vulnerabilities discovered in Healthineers line | Manufacturer |
| Intel | September 11, 2019 | US (CA) | Network cache vulnerability discovered in Xeon E5 and 7 v2 processor line | Manufacturer |
| Lion Air | September 18, 2019 | Thailand, Indonesia | Data breach | Airport/Airline |
| Malindo Air | September 18-23, 2019 | Malaysia, India | Data breach traced to Indian data center | Airport/Airline |
| Total S.A. | September 23, 2019 | Liberia | Phishing campaign impersonates Liberian subsidiary of oil company | Energy Firm |
| Airbus | September 26, 2019 | UK, Netherlands | VPN hack believed to be traced to Chinese state-sponsored actors | Manufacturer |
| Rheinmetall | September 27, 2019 | US, Mexico, Brazil | Cyber incident halts auto parts production | Manufacturer |
| Ebm-Papst | September 29, 2019 | Germany, Hungary | Cyber incident halts auto parts production | Manufacturer |
| Oticon | September 30, 2019 | Denmark, Poland, France, Mexico | Ransomware halts production at hearing-aid manufacturer | Manufacturer |
| Meridian Lightweight Technologies | October 1, 2019 | Canada, Germany, UK, US, Mexico, China | Car parts magnesium manufacturer hack necessitates FBI assistance | Manufacturer |
| Subaru | October 1, 2019 | US (IN) | Twin ransomware incidents halt automotive production | Manufacturer |
| Heartland Automotive | October 1, 2019 | US (IN) | Twin ransomware incidents halt automotive production | Manufacturer |
| Hibiscus Petroleum | October 7, 2019 | Malaysia | Cyber incident required system isolation | Energy Firm |
| Beckhoff | October 9, 2019 | Germany | 2 DoS vulnerabilities discovered in TwinCAT industrial controllers | Manufacturer |
| Schneider Electric | October 10, 2019 | France | 11 vulnerabilities discovered in Modicon line of controllers | Manufacturer |
| Fette Compacting GmbH | October 17, 2019 | Germany | Production and employee credentials compromised at capsule manufacturer | Manufacturer |
| Pilz GmbH & Co. KG | October 17, 2019 | Germany | Ransomware briefly halts production | Manufacturer |
| Ingredion Incorporated | October 18, 2019 | US (IL) | Data breach led to transactional delays at ingredients maker | Manufacturer |
| Essilor International | October 23, 2019 | France | Data breach reported at optics manufacturer | Manufacturer |
| Kudankulam Nuclear Power Plan | October 31, 2019 | India | Breach allegedly perpetrated by North Korean APT | Utility |
| Pemex | November 12, 2019 | Mexico | Production difficulties reported following ransomware | Energy Firm |
| Solara Medical Supplies | November 15 | US (MI) | Data breach hits medical company through phishing | Supplier |
| Qualcomm | November 18 | US (CA) | 7 vulnerabilities discovered in processors | Manufacturer |
| Medtronic | November 18 | US (CA) | 4 vulnerabilities won’t see patches until early 2020 | Manufacturer |
| Siemens | November 18, 2019 | Germany | Vulnerabilties discovered in Simatic S7-1200 series of industrial controllers | Manufacturer |
| STMicroelectronics | November 19, 2019 | Switzerland | 2 vulnerabilities were found in processors | Manufacturer |
| OnePlus | November 26, 2019 | China | Data breach reported at cell phone manufacturer | Manufacturer |
| Dialight | November 26, 2019 | US (NJ) | Vulnerability in lights used at airports | Manufacturer |
| ABB | December 3, 2019 | Switzerland | Vulnerability in electrical substation controllers | Manufacturer |
| British American Tobacco | December 4, 2019 | Romania | Data breach and potential ransomware | Manufacturer |
| TECNOL | December 5, 2019 | Spain | Ryuk ransomware at building material manufacturer | Manufacturer |
| BMW | December 7, 2019 | Thailand | Data breach by OceanLotus APT | Manufacturer |
| Hyundai | December 7, 2019 | South Korea | Data breach by OceanLotus APT | Manufacturer |