3rd Party Risk Management , Cybercrime , Fraud Management & Cybercrime

Rheinmetall Investigating Malware Attack at Three Plants

German Defense Contractor Says Incident Costing $4 Million a Week
Rheinmetall Investigating Malware Attack at Three Plants

An unspecified malware attack against the automotive division of Germany's Rheinmetall AG is affecting the IT infrastructure of three of the firm's global manufacturing facilities, and is costing the business about $4 million a week in lost productivity, according to the company.

See Also: Take Inventory of Your Medical Device Security Risks

The malware attack is currently affecting manufacturing facilities in the U.S., Mexico and Brazil, according to a Rheinmetall statement on Sept. 26. Disruptions to those businesses are expected to last between two to four weeks, the company says.

During that time, Rheinmetall, which is also one of the world's largest defense contractors, expects to lose between €3 and €4 million ($3.28 to $4.3 million) a week, the company says.

Not much is known about the specific malware that is affecting Rheinmetall, other than the attack was first detected sometime on Sept. 24 within the three manufacturing facilities, the company says.

"The Rheinmetall Group is doing everything in its power to address the resulting disruption at the affected plants as quickly as possible, and to maintain as far as possible the flow of parts to customers," the company says. "While deliverability is assured in the short term, the length of the disruption cannot be predicted at this time."

A Rheinmetall spokesperson could not be reached for comment on Monday.

Other Attacks

Over the past week, several other firms connected to the global defense industry have experienced different cyber incidents.

On Sept. 27, Defence Construction Canada, a company owned by the Canadian government that supplies environmental and other management services to that country's Department of National Defence, announced that it was recovering from a "cyber incident," according a report in the Ottawa Citizen.

A spokesperson told the newspaper that the company has been investigating the incident since Sept. 11, and that it has mainly affected procurement and other projects, according to the report. Although Defence Construction Canada did not offer specifics, sources told the newspaper that the company was hit ransomware, according to the report.

On Sept. 26, Agence France-Presse reported that Airbus, which also has connections to the global defense industry, is investigating a possible hacking incident related to attacks against the company's suppliers in search of commercial secrets, according to the report.

With Airbus, however, it appears the attack was much more targeted and could be related to a hacking group with connections to the Chinese government, according to Agence France-Presse.

In the case of Airbus, Tim Bandos, vice president for cybersecurity at security firm Digital Guardian, tells Information Security Media Group that going after less-secure, third-party suppliers is a much more effective way to target the main victim. In this case, Airbus.

"We've seen this countless times before where attackers go after less secure networks with a hop point into their primary target; simply because it’s a wide open back door," Bandos says. "It then makes it difficult for large organizations to detect nefarious behavior coming from a trusted party if the attacker moves in laterally using legitimate credentials."

Growing Challenge

In the case of the attackers, protecting such large-scale facilities is a challenge for even the most sophisticated companies, says Richard Gold, head of security engineering at security firm Digital Shadows. What's needed is a much broader look at all the risks that can disrupt the operation, Gold says.

"Focusing on the fundamentals of cybersecurity will get organizations a long way in terms of improving their resiliency against these kinds of attacks," Gold tells ISMG. "Patching and hardening of endpoints, logging and alerting on key indicators of malicious activity and a well-tested incident response process are all essential ingredients of an effective security posture."

Manufacturing in Crosshairs

In addition to these incidents against the defense industry, the number of attacks targeting large-scale manufacturing facilities has increased over the last several months.

One the most well-known examples of this happened in April when Norsk Hydro, a Norwegian aluminium and renewable energy firm sustained a malware attack on its computer system, causing the company a financial loss of 450 million Norwegian crowns ($52 million) in the first quarter of 2019 (see: Aluminum Giant Norsk Hydro Hit by Ransomware).

In this case of Norsk, investigators traced the attack back to LockerGoga, a ransomware variant that has emerged as one of the bigger threats over the past year (see: LockerGoga Ransomware Suspected in Two More Attacks).

Due to the large-scale investment by the manufacturing industry in technologies such as sensors, smart products, and the internet of things, devices, there has been an uptick in malware and other attacks over the last several months, according to a study conducted by consulting firm Delotte.

In the report, which is based on about 260 interview with business and IT executives in the manufacturing industry, Deloitte found that about 39 percent of large-scale manufacturing companies acknowledged experiencing an attack in the past year.

The report also notes that 45 percent of attacks were financial motivated, while 35 percent of these incidents resulted in intellectual property theft.

Managing Editor Scott Ferguson contributed to this report.)


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.