German industrial conglomerate ThyssenKrupp disclosed last week that technical trade secrets were stolen in a cyberattack that dates back to February.
Adversaries, ThyssenKrupp said, engaged in “organized, highly professional hacker activities” and launched their attack from the Southeast Asian region.
“According to our analyses, the aim was essentially to steal technological know-how and research from some areas of Business Area Industrial Solutions (espionage),” the company said in a statement. However, ThyssenKrupp said it can’t estimate how much “intellectual property” was stolen adding “content of this loss of data is not clear yet.”
ThyssenKrupp said it has filed a criminal complaint with the German State Office for Criminal Investigation.
Tom Kellermann, CEO of Strategic Cyber Ventures, said there is strong evidence indicating the attacks are tied to a hacking crew with Russian ties known as Sofacy, also known as Pawn Storm, APT28, Fancy Bear and Sednit. “The victim has been under siege since the initial compromise of her subsidiary – an iron ore smelting facility that was attacked in 2015 causing tremendous physical damage,” he said.
Kellermann is referring to an attack against a German steel mill where hackers manipulated and disrupted the industrial control system to the extent it manipulated a furnace to malfunction and cause an unspecified amount of physical damage to the plant. In that assault, the attacker and victim were not identified by authorities or by the German Federal Office for Information Security that disclosed the incident. However, a number of security firms asserted that the attack against the ThyssenKrupp subsidiary had ties to Russian hackers.
ThyssenKrupp has previously denied that it was a target in the 2015 attack.
“This was a secondary breach related to earlier Pawn Storm campaign that impacted the company… Adversaries moved laterally from one subsidiary to another until they reached the parent company,” Kellermann said. “But most importantly, I believe this is just another manifestation of Pawn Storm as it is impacting Germany and NATO and is escalating across Europe.”
Various incarnations of Pawn Storm have been active for more than two years and have been linked to attacks against NATO and military and political targets in Europe. More recently Pawn Storm was fingered by security firm Crowdstrike as being behind attacks against the Democratic National Committee resulting in the theft of research done by the DNC on President-elect Donald Trump.
Data stolen from ThyssenKrupp may not yield hackers a huge payday, but instead enable them to cause significant damage to future operations of the company, according to David Zahn, general manager of PAS, an industrial control system cybersecurity firm.
“Instead of making a large cash withdrawal, hackers could disrupt production or worse; cause significant physical damage to production equipment, the environment or even personnel. These are the stakes when you deal with operational technology versus information technology cybersecurity,” Zahn said.
In its statement released Thursday, ThyssenKrupp said that the incident is not attributable to “security deficiencies” or human error. “It is currently virtually impossible to provide viable protection against organized, highly professional hacking attacks,” the company wrote.
Kellermann said mitigation of these types of attacks should rely on user behavior analytics and a deceptive technologies used inside networks to rout out infestations.