On and Off Shore Hacking:
Supply Chain Cyber Developments in 2019

On and Off Shore Hacking:
Supply Chain Cyber Developments in 2019

Executive Summary

  • Cyber security incidents continue to pose an ever increasing menace to secure and efficient supply chains, with 263% more incidents recorded in 2019 compared to 2018, both in familiar categories such as ransomware, vulnerabilities, data breaches, denial-of-service, and phishing, as well as new ones, such as Advanced Persistent Threats (APTs)
  • Of these, vulnerabilities, ransomware and APTs posed the principal threats of 2019, highlighted by incidents such as healthcare product vulnerabilities reported by US DHS, LockerGoga at Norsk Hydro, and Vietnamese and Chinese APTs targeting multinational manufacturers 
  • The Norsk Hydro case provides a notable learning opportunity for globally operating companies in terms of disclosure and incident response as the ransomware impacted both corporate functions and production across several sites 
  • The principal threats in 2019 are all likely to worsen in severity in 2020 in light of aging operating systems, ransomware further approximating to productive facilities as well as increasing geopolitical competition
  • Companies with sophisticated supply chains should audit, increase visibility, and facilitate communication with supply chain managers and IT professionals to ensure the utmost in cyber defense for the sake of continuity and security

Background

Cyber threats for production, supply chains, and logistics have grown and evolved over the past few years. Greater awareness of such developments, however, has not yet translated into sufficient preparation against this increasing threat. 

275 cyber incidents have been recorded by Everstream Analytics just in 2019, of which 237, or 86.1%, were of supply chain relevance. In comparison, 2018 saw only 90 incidents across the full year, as reported by Everstream Analytics. A year-over-year comparison shows a 263% increase in incidents recorded. 

The above numbers are an accurate representation of the supply chain cyber threat, which is a fraction of the overall cyber threat. These numbers are reflective of the 5 categories of cyber incident that Everstream Analytics monitors: Data Breaches, Phishing, Ransomware, Vulnerabilities, and Denial of Service.

Figure 01: Distribution of cyber incidents throughout 2019; Source: Everstream Analytics

As the above data shows, Vulnerabilities, Data Breaches, and Ransomware were the most afflictive incidents in supply chain cyber security throughout 2019, each representing a progressing level of severity in supply chain impact. 

2019 will come to be defined by 3 categories of threats though: Ransomware, system-paralyzing malware designed to extract a ransom; APTs, broad cyber campaigns often led by nation-states; and Industrial Controller Vulnerabilities, software and hardware flaws that allow hackers entry. 

  • Ransomware: Ransomware is a form of malware that disables access to and/or threatens to disclose or delete a target’s data in exchange for a ransom payment, often made in cryptocurrency and sometimes yielding little result. Some high profile ransomware incidents seen in 2019 were LockerGoga, which disabled headquarters and production systems at Norsk Hydro in March, and a yet-to-be-identified ransomware that compromised the airport authority responsible for Muhammad Ali International Airport in Louisville, KY in May.
  • APT: A single hacker or group of hackers, often receiving the sponsorship of a nation-state such as Russia, China, Iran, North Korea, or Vietnam, that performs an often long and undetected (until the point of action) campaign that is in line with said sponsoring state’s national interest. Examples of APT-related incidents in 2019 was a campaign by OceanLotus, or APT32, against several multinational automotive manufacturers in the Asia-Pacific region, believed to be coordinated in line with the opening of Vietnam’s first domestic automobile factory. Another such threat was Winnti, believed to be coordinated by the Jiangsu Bureau of China’s Ministry of State Security that targeted several manufacturers throughout Europe.
  • Industrial Controller Vulnerabilities: Errors in coding present in software and/or devices comprising industrial control systems (ICS) that can allow for a series of malign manipulations of manufacturing systems by remote hackers to the point of damage. Some vulnerabilities have garnered regulatory attention such as the United States Department of Homeland Security (DHS) citing Philips and McKesson for vulnerabilities in cardiology and obstetric devices, respectively.

Further refined, these threats have presented themselves in the following forms throughout the year: 

  • LockerGoga: A form of ransomware that arose in a series of primarily industrial targets, resulting in several days of halted production and employment furloughs.
  • OceanLotus: An APT operating under a series of aliases that grew from a Southeast Asian sociopolitical focus to a threat actor targeting multinational companies in Vietnam, employing a series of attacks ranging from break-ins to data theft and/or corruption.

A recent study by IBM has indicated that logistics actors take an average of 192 days to recognize an incident of cyber abnormality in their systems, and upon discovery, take an average of 60 days to mitigate the risks posed by the abnormality, with end losses to a tune of USD 3.86 million. 

While the incidents captured throughout 2019 have yet to reach these levels of severity, ransomware recovery time recorded by Everstream Analytics analysts across logistics companies, producers, and related entities averages 14 days. A persistent and prolonged downtime for each incident has the potential to amplify not only damage, but confidence from customers as well as supply chain partners.

Figure 02: Types of locations impacted by cyber incidents throughout 2019; Source: Everstream Analytics
Figure 03: Severity of cyber incidents and their locations of impact throughout 2019; Source: Everstream Analytics

As the above maps show, there are few locations untouched by cyber incidents in 2019. While North and South America, as well as Europe, saw the most severe incidents throughout the year, Asia and the Pacific experienced a number of moderate incidents as well. 

A Look Back on 2019

The types of cyber incidents of supply chain significance reported by Everstream Analytics contain considerable learning points, given the evolution of current monitored threats as well as the appearance of newer ones. 

As vulnerabilities are gateways for other types of incidents to occur, they can often manifest in conjunction with others, such as data breaches or denial-of-service. The predominant nature of the incident in question, however, will revolve around the vulnerability itself as an antecedent to data breaches or denials-of-service. Others, however, occur within an ecosystem of their own, which is often reflective of an ability to propagate. Ransomware incidents, while capable of occurring in conjunction with phishing incidents, have been observed to be occurring on their own by Everstream Analytics analysts.

Vulnerabilities can often be representative issues to come. In reporting these incidents, a small, yet growing, trend indicates proactive and early patch implementation upon disclosure of such events. What bears consideration, however, is that the detection of vulnerabilities can be the precipice for incident prevention, and can provide insights from the specific avenues affected as well as their possible severity based on the ability to exploit it. In summation, improved monitoring of vulnerabilities for products and components provides a better chance of mitigating them before they worsen and necessitate broader adjustments to one’s supply chain, such as halting production or issuing recalls in order to prevent a product containing vulnerable components from reaching the market.

Ransomware incidents, however, have shown to be not only the most acute of incidents in terms of determining exposure and impact, but also in creating a risk by geographic proliferation. Ransomware has been a concern for those in shipping, logistics, and supply chains for the better part of the decade, most notably due to the ransomware attacks on Maerks in 2017 as well as the attack on COSCO in 2018. Such events of note affecting ocean shipping have yet to occur in 2019, but the threat of ransomware has yet to cease at nodes of transportation. And in contrast to past years, the long-feared manifestations of ransomware affecting production activities have arrived.

Calculating mitigating times for Lockergoga (4 days at Altran and 8 days Norsk Hydro), iEncrypt at Arizona Beverages (30 days), and unknown ransomware at Aebi Schmidt (5 days) and Eurofins Scientific (23 days), our incidents, irrespective of number of physical entities impacted, show a mean ransomware mitigation time of 14 days. While data pertaining to ransomware payouts or other financial burdens are rarely disclosed for the private sector, the longer a firm is afflicted with ransomware, the greater the operational burdens are in order to circumvent it. 

Airport-based ransomware continues to provide a source of nuisance at airports, but regardless of duration, the incidents themselves have yet to impact systems crucial to departures and arrivals of aircrafts. As WannaCry introduced named ransomwares to logistics and supply chain industries through its attack on Maersk in 2017, LockerGoga became the named actor of 2019. The ransomware first came to light with an attack on French engineering firm Altran Technologies, which shut down its headquarters and miscellaneous European operations. Lockergoga gained greater attention by March 2019 when it infected the headquarters of aluminum producer Norsk Hydro, before spreading to its production operations throughout Europe, North America, Brazil, and Qatar. 

As this report will elaborate, there were warning signs that have grown ever more visible as a result of greater source visibility, thereby permitting preemption of threats.

Case Studies

The risks cyber attacks pose for supply chain operations was brought to the forefront by a number of events in 2019. Some of the most noteworthy ones are illustrated as case studies below.

Rockwell Automation controllers

Industry sources indicated on July 10 that a high-severity vulnerability, titled CVE_2019-10970 with a CVSS score of 7.5/10, was discovered in Rockwell Automation’s PanelView 5510 human-machine interfaces made before March 13 that haven’t been updated to versions 4.003 or 5.002. 

The vulnerability permits access to the programmable logic controllers to which the interface will be linked, allowing remote control for malicious purposes. The controllers interacting with the interface are used in critical infrastructure, automotive manufacturing, water systems, as well as food & beverage, among other industries. At the time of the incident, Rockwell advised customers to either update to the latest software version or to block TCP and UDP ports 2222 and 44818 to isolate traffic to the manufacturing zone.

What made this case the archetype for all vulnerability cases was the breadth of its applications as well as a specific isolation of vulnerabilities present in manufacturing systems. More often than not, the vulnerability-related incidents covered by Everstream Analytics, while catalogued according to a universally recognizable standard (i.e. CVE-YEAR-5 digit number), often only briefly touch upon a component. This incident was notable not only in its specification for internet-connected avenues in which a hacker would be able to act on intent. 

From a production point of view, in the event of a cyber incident, greater visibility affords supply chain managers greater control to adjust production in order to correct the vulnerability. Beyond production, detection affords supply chain managers the ability to interface with the IT means at their disposal to address the issue. While some incidents can have a patch or remedy readily available, others may take weeks to months for a remedy to be developed by an authoritative source. 

Norsk Hydro and LockerGoga

Norsk Hydro, a Norwegian aluminum producer with global operations, was the target of the LockerGoga ransomware on March 19, a new ransomware that debuted 2 months earlier at the French engineering consultancy firm Altran Technologies and was uploaded from a Dutch server the week prior. 

The attack on Norsk Hydro started in the United States and subsequently spread across its worldwide IT network overnight, to locations that included Canada, Germany, Denmark, and Norway. The company then took measures to contain the virus by isolating its factories, particularly its rolled aluminum and extruded solutions units, and switching to manual operations and procedures. 

On March 20, it succeeded in detecting the root cause of the problems and was said to be working on a plan to restart the company’s information technology systems in a safe and sound manner. The Oslo-based company was able to isolate the program responsible for the ransomware execution on March 21, yet continued to labor for 6 more days at 50% operating capacity in order to fully restore systems to pre-incident operability. Most of the company’s worldwide energy plants and smelters remained largely unaffected by the attack, but were forced to operate manually.

According to industry experts, the LockerGoga malware does not self-propagate, and was not likely to go beyond Norsk Hydro’s internal network. The ransomware is said to be different to the previous industrial cyber-attacks such as WannaCry and Petya because criminals are targeting company networks and synchronizing encryption across their geographical regions to demand ransom from the company. Norsk Hydro’s plan entailed forgoing paying the ransom and opting to restore its systems from backup servers, the only alternative to regain access to data and applications. It was this process that, while saving the company on ransomware payments, contributed to the length of restoration given the reach and multitude of countries with systems infected. 

What makes this case a model for analysis in comparison with the original LockerGoga victim, Altran, was its propagation, as well as the length of time required to restore operations. A strongly integrated and poorly segmented network can allow a simple ransomware like LockerGoga to propagate with velocity. Furthermore, a lack of strong visibility and supply chain communication in a medium outside of the organic corporate network can make recovery from a ransomware incident even more difficult. While operations are often limited once ransomware attacks occur, a greater understanding of one’s own supply chain and the warning signs preceding it, regardless of supply chain culpability in the event, can make the difference in prevention, continuity, and mitigation.

ASCO Industries ransomware 

While Norsk Hydro is exemplary of a Tier 2/3 industry ransomware incident, the ASCO Industries ransomware is exemplary of a ransomware case impacting a Tier 1 aviation and defense firm. On June 7, Zaventem, Belgium-based aeronautical component manufacturer ASCO Industries suffered a then-nondescript cyber security incident that was reported to have impacted its production facilities in Belgium, Germany, Canada, and the US. At the time of reporting, the firm, a notable supplier to Airbus, Boeing, Lockheed Martin, Embraer, and Bombardier did not specify the incident it suffered. 

Expressed symptoms, such as temporary dismissal of 1,000 of its employees at its Zaventem headquarters as well as at its Germany, Canada, and US facilities, along with the removal of systems from internet accessibility, appeared to be consistent with a ransomware attack, such as that which impacted Norsk Hydro. The incident in question was confirmed as malicious by Spirit AeroSystems sources on June 11. While upon disclosure, ASCO estimated that its systems would be restored to baseline functionality by June 13, as the week of June 10-14 passed, estimates extended to as late as June 28. As a result, the temporary dismissal effectively evolved into a prolonged, uncompensated furlough for its employees.

Perhaps the more notable point of analysis in this incident is disclosure and its relation to continuity. Norsk Hydro was known within a relatively immediate timeframe to be impacted by the LockerGoga ransomware, one that was somewhat known to the manufacturing world for its January Altran manifestation. As of this writing, like many technical details of this ASCO incident, the name of the ransomware involved is unknown. 

During the course of the Norsk Hydro attack, the ransomware was believed to have evaded traditional security. Such information is also absent for ASCO, where researchers are left to interpret DNS traffic to a C2 server to be able to properly attribute the incident. Further information awaiting disclosure is in ASCO’s action plan, whether it elects to acquiesce to the distributor of the ransomware or to reconstruct. While no data was stolen, per the most up-to-date disclosures, the concern at hand, and lesson to derive from this incident, was a lack of supply chain visibility with respect to cyber incidents preventing the ability to stymie the spread of the ransomware beyond its origin. 

Winnti (APT 17) and OceanLotus (APT32) 

The first incident in this example is an APT called Winnti, also known as APT17, which has been traced to the Jinan Bureau of China’s Ministry of State Security. It was first detected in 2015, yet came to attention in July 2019 with the discovery of its infiltration of several German, Japanese, Swiss, and French manufacturers. The case to be emphasized with Winnti was the July 24 disclosure of its vast infiltration of a multitude of manufacturers, consisting of industries such as plastics, pharmaceuticals, industrial machinery, and airlines, among others. The challenge that this sets bears similarities to the ASCO incident, where a need for proprietary supply chain cyber security is fundamental, with a simultaneous need to cascade down the tiers can help prevent future impacts to production. 

Also known as Advanced Persistent Threat (APT) 32, a group of Vietnamese hackers believed to receive non-descript state sponsorship came to the knowledge of those in the cyber intelligence community in 2015. What started out as a means of enforcing information security became a tool of warfare against private enterprises that have hit targets in several countries, and physical installations throughout Southeast Asia. In 2019, the APT came to the attention of Everstream Analytics in an incident that targeted several multinational automotive manufacturers in the country. The incident was believed to coincide with the planned introduction of the first domestically produced sedan by Vingroup. 

Outlook and Recommendations

As 2019 draws to a close, we elaborate on the foremost supply chain cyber threats to come for the New Year:

  • APTs: Production-targeted APTs have been spotted before by Everstream Analytics, such as the OilRig APT targeting the energy sector in the Middle East. These incidents, however, are unique in the addition of a geopolitical risk factor. While APTs have previously only had financial MOs and targets, a renewed international climate of competition is sure to add cyber risks to export-oriented supply chains in the year to come. This therefore elevates the importance of analyzing if relocation or re-evaluation is necessary for any component or entity in a supply chain. This will provide the ability to gain visibility into incidents at their various stages, but also integrate cyber risk considerations in strategic supply chain decision-making. Locations to consider for cyber risk monitoring in 2020 as a component of supply chain security should include, but not be limited to, Southeast Asia, Northeast Asia, Oceania, Western Europe, and the Persian Gulf, to name a few.
  • Ransomware: Ransomware will continue to be the principal cyber threat to supply chain, production, and logistics operations for time to come. Everstream Analytics has seen ransomware get closer to points of production over the years, by starting at logistic nodes and moving into factories, and we can anticipate that the New Year will bring ransomware that comes ever closer to critical points of a supply chain flow for the most damaging impact.
  • Vulnerabilities: Vulnerabilities will be a principal point of focus in 2020 as well, especially as manufacturers become more aware of how cyber incidents can evolve from warnings to near-catastrophic occurrences. In particular, since the Windows 7 end-of-life date will be on January 14, 2020, several IoT devices with medical, among other, applications, will be at risk. As further operating systems age, the list of supply chain risk-prone vulnerabilities will be bound to grow. Also, a November warning from the FBI to the automotive industry highlights this point, where brute force hacks may give way to more sophisticated, and therefore more damaging, attacks on manufacturing systems as well as end products.

While data suggests that the quantity of cyber incidents have increased based on a baseline evaluation since 2018, an encouraging development since last year is the increased availability of means to combat the threats. This information often comes available from open and/or official sources, and can be easily cascaded to supply chain managers and IT professionals.

Everstream Analytics offers a 5-step risk evaluation process below to determine how vulnerable your system may be to a cyber incident, and what will be required to mitigate such risks. What must be emphasized this year, however, are the importance of proper analysis and visibility in ensuring that a company is best prepared to perform the first 3 tasks so that the latter 2 may be properly planned.

Figure 04: A 5-step risk evaluation process; Source: Everstream Analytics

Based on this model, below are some measures that Norsk Hydro and ASCO applied for the two ransomware incidents we explored in this report:

 NORSK HYDROASCO
DefenceIsolation of networks within 48 hoursIsolation of networks in excess of 168 hours
MitigationImmediate disclosureImmediate disclosure, yet no update on type of ransomware
Recovery6 days 7+ days
ExposureWhile widespread, orders were cascaded to isolate as many systems as possible to contain the ransomware’s spreadCommunications didn’t begin until preliminary restoration estimates had passed
HandlingWhile production was hit, ransom was not paidProduction suffered as a majority of staff (71.4%) had to be furloughed

A key takeaway on the ransomware subject is the Norsk Hydro response, and what it tells us as a lesson for those in similar situations. While the incident was devastating for production, reducing output by 6-figures and delaying earnings reports, Norsk Hydro served as a model for early disclosure that was reflective of a transparent effort to communicate what had occurred and what they could do to address the situation. In contrast, the lack of disclosure from ASCO demonstrated a lack of supply chain visibility and an inability to mitigate risks, and threw its credibility into question. As such, the advantage of Norsk Hydro’s strategy to address ransomware was that it would provide greater advantage for those in its supply chain to mitigate risks as early as possible.

Incidents such as these serve as illustrations not only as cases for proper preventive cyber security practices, but also as a case to conduct thorough surveys and audits to obtain visibility and communication to ensure maximum protection in as unified a framework as possible.  It is by these means that, while not making ransomware incidents inevitable, can make their impacts less damaging.

Vulnerabilities, as observed by Everstream Analytics, have increasingly disclosed a considerable means of information that can be properly transmitted to supply chain managers as well as IT departments to assess risk. The same poses true for phishing, as most of their indicators are quite transparent, easily communicated, and can be relayed to be blacklisted, ensuring the deepest levels of protection. 

Certain risks, however, will be more challenging to mitigate, such as out-of-the-blue data breaches and denials-of-service, due to the element of surprise. With proper visibility and mitigation against the other three major subcategories of cyber attack, however, companies can ensure a robust defense that protects against all but the most unknown of surprises.

As an overall practice, those with broad sourcing networks should consult with their supply chain managers, procurement managers, and IT professionals to formulate the strongest possible defenses in anticipation of ransomware threats to come. For the upcoming year, additional emphasis must be added on thorough auditing and visibility, as this will best ensure that supply chain managers and IT professionals can pre-empt and plan to keep their supply chains up and running in the event of any cyber incident.

Annex

Affected EntityDateLocationDescriptionCategory
Titan Manufacturing and DistributionJanuary 8, 2019USAData breach of industrial vehicle manufacturerManufacturer
Oxo InternationalJanuary 10, 2019USA (NY)Data breach of kitchenware manufacturerManufacturer
Bel USAJanuary 10, 2019USA (FL)Data breach of kitchenware manufacturerManufacturer
Maersk LineJanuary 17, 2019MalaysiaPhishing campaign warningSeaport/Shipping Line
ControlLogixJanuary 16, 2019USA (WI)Vulnerability in TCP/UDP on industrial controllersManufacturer
MoxaJanuary 24, 2019TaiwanVulnerability in IoT controllersManufacturer
Port of Rotterdam January 30, 2019NetherlandsWebsite impersonation warningSeaport/Shipping Line
Altran TechnologiesJanuary 24, 2019FranceLockerGoga ransomwareManufacturer
EskomFebruary 7, 2019South AfricaRansomware incident on power companyUtility
Allen-BradleyFebruary 20, 2019USA (WI)2 vulnerabilities discovered in industrial controllersManufacturer
Nyrstar January 23, 2019BelgiumRansomware discovered in zinc makerManufacturer
VariousMarch 4, 2019ChinaAPT40 Various
ViperMarch 8, 2019USA (CA)Vulnerabilities discovered in car alarmsManufacturer
PandoraMarch 8, 2019LithuaniaVulnerabilities discovered in car alarmsManufacturer
CitrixMarch 11, 2019USA (CA)FBI warns of data breachManufacturer
Container WorldMarch 12, 2019Canada (BC)Ransomware impersonator hits beverage distributorVarious
Kathmandu HoldingsJanuary 8, 2019New ZealandData breach at outdoor eManufacturer
LabSatMarch 18, 2019UKSpoofing vulnerability discovered in auto GPSManufacturer
MedtronicMarch 22, 2019USA (MN)Vulnerabilities discovered in internal defibrillators Manufacturer
VariousMarch 22, 2019VietnamAPT32Various
HexionMarch 25, 2019USA (OH)LockerGoga ransomware at thermoresin companyManufacturer
MomentiveMarch 25, 2019USA (NY)LockerGoga ransomware at sealant companyManufacturer
ToyotaMarch 29, 2019Australia, Japan, ThailandData breach at national headquartersManufacturer
BayerApril 4, 2019Germany Cyber incident later discovered to be APT 17Manufacturer
Arizona BeveragesMarch 21, 2019USA (NY)Nondescript ransomware incident on beverage manufacturerManufacturer
AdvantechApril 4, 2019Taiwan3 vulnerabilities discovered in SCADA management softwareSoftware
PetroBanglaApril 7, 2019BangladeshDenial-of-service hack at state-owned oil company Energy Firm
Hoya CorporationApril 8, 2019Japan, ThailandData breach of lens manufacturerManufacturer
QualcommApril 25, 2019USA (CA)Vulnerability discovered in chipsetsManufacturer
Aebi SchmidtApril 23, 2019Germany, Switzerland, Netherlands, Norway, Poland, USA (PA, OH, IL)Production halted by ransomwareManufacturer
Various electrical utilitiesMarch 5, 2019USA (CA, UT, WY)Disruptive cyber event consistent with ransomwareUtility
Various electrical utilitiesMay 2, 2019India (TG & AP)Disruptive cyber event consistent with ransomwareUtility
Charles River LaboratoriesMay 2, 2019USA (MA)Data breach at lab service providerService Provider
NivientMay 2, 2019USA (CA & MA)Data breach at customers of lab service providerManufacturer
OrpakMay 3, 2019USA (NC)Vulnerabilities in gas station softwareSoftware
GEMay 6, 2019USA (MA)Vulnerabilities in power metersSoftware
Pride PowerMay 7, 2019China (Beijing & Fuyang)Data breach reported at battery makerManufacturer
Louisville Muhammad Ali International AirportMay 20, 2019 USA (KY)Ransomware attack on airport authorityAirport/Airline
B&R AutomationMay 30, 2019AustriaVulnerabilities discovered in industrial control componentsManufacturer
Eurofins ScientificJune 1, 2019BelgiumRansomware on pharmaceutical testing companyManufacturer
Tecson/GOKJune 11, 2019GermanyVulnerabilities discovered in oil tank softwareManufacturer
PercepticsJune 10, 2019USA, CanadaData breach of license plate reader deviceManufacturer
WAGOJune 13, 2019GermanyRoot privilege vulnerabilities in industrial switchesManufacturer
Becton DickinsonJune 17, 2019USA (NJ)Vulnerabilities in infusion pump softwareSoftware
A Duie PyleJune 15, 2019USA (PA)Trucking firm hit by ransomareCargo Transporter
La PosteJune 21, 2019FranceFrench postal service hit in data breachGovernment
SonangolJune 10, 2019AngolaDenial-of-service at state-owned oil companyEnergy Firm
DellJune 21, 2019USA (TX)Vulnerability discovered in pre-installed softwareManufacturer
ABBJune 25, 2019Switzerland12 vulnerabilities patched in HMI productsManufacturer
Huntington IngallsJune 26, 2019USA (VA)APT10 compromise of shipbuilderManufacturer
SICKJuly 1, 2019GermanyVulnerability in industrial controllersManufacturer
OrviboJuly 3, 2019ChinaData breach at IoT manufacturerManufacturer
Phoenix ContactJuly 2, 2019Germany, Italy, Turkey, Netherlands, SpainVulnerabilities discovered in industrial switches Manufacturer
USCG Inspections and Compliance DirectorateJuly 9, 2019USACybersecurity safety alert Seaport/Shipping Line
JenkinsJuly 8, 2019USA (OH)Leak of aerospace manufacturer dataSoftware
IntelJuly 9, 2019USA (CA)Siemens vulnerabilities traced back to Intel rootManufacturer
Rockwell AutomationJuly 10, 2019USA (WI)High severity vulnerability in logic controllerManufacturer
Siemens July 24, 2019GermanyImpacted by Winnti (APT17) hacking groupManufacturer
Schneider Electric March 20, 2019FranceVulnerability discovered in emulatorManufacturer
Wind River SystemsJuly 29, 2019USA (CA)11 vulnerabilities discovered in manufacturing operating systemSoftware
Northwood May 6, 2019USA (MI)Data breach at medical equipment companyManufacturer
BASFJuly 24, 2019Germany (NW)Impacted by Winnti (APT17) hacking groupManufacturer
Sumitomo ElectricJuly 24, 2019Japan (Osaka)Impacted by Winnti (APT17) hacking groupManufacturer
ThyssenKrupp July 24, 2019GermanyImpacted by Winnti (APT17) hacking groupManufacturer
Roche July 24, 2019Switzerland (Basel)Impacted by Winnti (APT17) hacking groupManufacturer
Shin-Etsu Chemical July 24, 2019Japan (Tokyo)Impacted by Winnti (APT17) hacking groupManufacturer
Bostik July 24, 2019France (Paris)Impacted by Winnti (APT17) hacking groupManufacturer
Lion Air July 24, 2019Indonesia (Jakarta)Impacted by Winnti (APT17) hacking groupAirport/Airline
Mitsubishi July 24, 2019Japan (Tokyo)Impacted by Winnti (APT17) hacking groupManufacturer
NVIDIA July 23, 2019USA (CA)Vulnerabilities discovered in chipsetsManufacturer
City Power July 25, 2019South Africa (GT)Power outage induced by ransomwareUtility
Blastech Mobile July 29, 2019USA (AL)Ransomware incident at steel manufacturerManufacturer
Prima Systems August 1, 2019Slovenia4-vulnerabilities in access control systemsManufacturer
Lenovo July 31, 2019ChinaRansomware attack on NAS devicesManufacturer
NCEES August 2, 2019USA (SC)Implicated in phishing campaign targeting utilitiesUtility
QualcommAugust 6, 2019USA (CA)WLAN firmware vulnerabilities discovered that compromise Android OSManufacturer
BoeingAugust 8, 2019USA (WA)Crew Information Service/Maintenance System (CIS/MS) vulnerabilities discovered in 737s and 787sManufacturer
SiemensAugust 9, 2019 GermanyZero-days discovered in Simatic S7-1500 series of industrial controllersManufacturer
Air New ZealandAugust 9, 2019 New ZealandPhishing campaign leads to data breachAirport/Airline
China National Aero-Technology Import and Export CorporationAugust 9, 2019 ChinaBITTER APT targets 10 sites across ChinaOther
Delta ElectronicsAugust 12, 2019TaiwanBuffer control vulnerability discovered in industrial control systemsManufacturer
SiemensAugust 15, 2019 GermanyPort 23/TCP vulnerabilities discovered in SCALANCE X series switchesManufacturer
XilinxAugust 21, 2019US (CA)Unpatchable vulnerability discovered in system-on-chip boardsManufacturer
McKessonSeptember 2, 2019US (NY)DHS flags cardiac devices for vulnerabilitiesManufacturer
PhilipsSeptember 2, 2019US (MA)DHS flags obstetric devices for vulnerabilitiesManufacturer
i365-TechSeptember 6, 2019ChinaVulnerability leads to data breach in GPS devicesManufacturer
DK-LOKSeptember 9, 2019South Korea, Canada, US, Iran, Germany, Australia, Russia, Brazil, Israel, Turkey, Italy, New Zealand, Portugal, EgyptEmail platform vulnerability leads to business data disclosure Manufacturer
SiemensSeptember 11, 2019Germany14 vulnerabilities discovered in Healthineers lineManufacturer
IntelSeptember 11, 2019US (CA)   Network cache vulnerability discovered in Xeon E5 and 7 v2 processor lineManufacturer
Lion AirSeptember 18, 2019Thailand, IndonesiaData breachAirport/Airline
Malindo AirSeptember 18-23, 2019Malaysia, IndiaData breach traced to Indian data centerAirport/Airline
Total S.A.September 23, 2019LiberiaPhishing campaign impersonates Liberian subsidiary of oil companyEnergy Firm
AirbusSeptember 26, 2019UK, NetherlandsVPN hack believed to be traced to Chinese state-sponsored actorsManufacturer
RheinmetallSeptember 27, 2019US, Mexico, BrazilCyber incident halts auto parts productionManufacturer 
Ebm-PapstSeptember 29, 2019Germany, HungaryCyber incident halts auto parts productionManufacturer 
OticonSeptember 30, 2019Denmark, Poland, France, MexicoRansomware halts production at hearing-aid manufacturerManufacturer
Meridian Lightweight TechnologiesOctober 1, 2019Canada, Germany, UK, US, Mexico, ChinaCar parts magnesium manufacturer hack necessitates FBI assistanceManufacturer
SubaruOctober 1, 2019US (IN)Twin ransomware incidents halt automotive productionManufacturer
Heartland AutomotiveOctober 1, 2019US (IN)Twin ransomware incidents halt automotive productionManufacturer
Hibiscus PetroleumOctober 7, 2019MalaysiaCyber incident required system isolationEnergy Firm
BeckhoffOctober 9, 2019Germany2 DoS vulnerabilities discovered in TwinCAT industrial controllersManufacturer
Schneider ElectricOctober 10, 2019France11 vulnerabilities discovered in Modicon line of controllersManufacturer
Fette Compacting GmbHOctober 17, 2019GermanyProduction and employee credentials compromised at capsule manufacturerManufacturer
Pilz GmbH & Co. KGOctober 17, 2019GermanyRansomware briefly halts productionManufacturer
Ingredion IncorporatedOctober 18, 2019US (IL)Data breach led to transactional delays at ingredients makerManufacturer
Essilor InternationalOctober 23, 2019FranceData breach reported at optics manufacturerManufacturer
Kudankulam Nuclear Power PlanOctober 31, 2019IndiaBreach allegedly perpetrated by North Korean APTUtility
PemexNovember 12, 2019MexicoProduction difficulties reported following ransomwareEnergy Firm
Solara Medical SuppliesNovember 15US (MI)Data breach hits medical company through phishingSupplier 
QualcommNovember 18US (CA)7 vulnerabilities discovered in processorsManufacturer
MedtronicNovember 18US (CA)4 vulnerabilities won’t see patches until early 2020Manufacturer
SiemensNovember 18, 2019 GermanyVulnerabilties discovered in Simatic S7-1200 series of industrial controllersManufacturer
STMicroelectronicsNovember 19, 2019Switzerland2 vulnerabilities were found in processorsManufacturer
OnePlusNovember 26, 2019ChinaData breach reported at cell phone manufacturerManufacturer
DialightNovember 26, 2019US (NJ)Vulnerability in lights used at airportsManufacturer
ABBDecember 3, 2019SwitzerlandVulnerability in electrical substation controllersManufacturer
British American TobaccoDecember 4, 2019RomaniaData breach and potential ransomwareManufacturer
TECNOLDecember 5, 2019SpainRyuk ransomware at building material manufacturerManufacturer
BMWDecember 7, 2019ThailandData breach by OceanLotus APTManufacturer
HyundaiDecember 7, 2019South KoreaData breach by OceanLotus APTManufacturer
List of supply chain relevant incidents in 2019; Source: Everstream Analytics

Share this post