Throwback Attack: Foxconn hit by ransomware … twice

Courtesy: CFE Media and Technology

The year 2020 is known for many things, but mainly for COVID-19. This pandemic completely changed the way that people experienced life. Thousands were getting sick, and no one knew how to combat the virus. As a result of its quick spread, people were sent home to study and work remotely, which led to a slew of other challenges, especially in the realm of cybersecurity. For instance, ransomware attacks shot up exponentially. Even global electronics manufacturer Foxconn wasn’t immune from being targeted.

According to the Harvard Business Review, ransoms paid to attackers increased by 300% in 2020 due to the sudden spike in remote working combined with weak home security protections. This gave ransomware groups additional opportunities to start infecting more organizations. Similar to a virus that attacks the human body, there’s always the chance of a repeat infection to a company’s digital network, as well.

What is Foxconn?

According to Foxconn’s website, the company was founded in Taiwan in 1974. Hon Hai Technology Group (Foxconn) is the world’s largest electronics manufacturer and also the leading technological solutions provider.

While headquartered in Taiwan, the company is the largest private employer in the People’s Republic of China and one of the largest employers worldwide. Foxconn has established research and development and manufacturing centers around the world, including in China, India, Japan, Vietnam, Malaysia, the Czech Republic, the U.S. and more. The company owns more than 54,253 patents.

Foxconn named Young Liu its new chairman after the retirement of founder Terry Gou, effective on July 1, 2019. Liu was the special assistant to former chairman Gou and the head of business group S (semiconductor). Liu’s priorities were semiconductors, together with technologies, such as artificial intelligence, robotics and autonomous driving.

The 2020 attack on Foxconn

In November 2020, a Foxconn-owned facility located in Ciudad Juárez, Chihuahua, Mexico, was hit by a DoppelPaymer ransomware attack. This facility opened in 2005 and is used by Foxconn for assembly and shipping of electronics equipment to all regions in South and North America.

The attackers stole unencrypted files before encrypting devices and then demanded a 1804.0955 bitcoin ransom, or approximately $34,686,000 at that time. “We encrypted NA segment, not whole foxconn, it’s about 1200-1400 servers, and not focused on workstations. They also had about 75TB’s of misc backups, what we were able to – we destroyed (approx. 20-30 TB).” The hackers also encrypted 100 GB of stolen files.

DoppelPaymer published stolen files belonging to Foxconn NA on their ransomware data leak site. The data included generic business documents and reports but no financial information or employee personal details. Foxconn was one of many DoppelPaymer victims, along with Visser Precision, Pemex and more.

According to TrendMicro, DoppelPaymer uses a routine process, starting by infiltrating networks through malicious emails that contain spear-phishing links or attachments that, once clicked, will start the downloading process of the DoppelPaymer malware. Then, it encrypts files found in the network, fixed drives and removable drives in the affected system. Finally, DoppelPaymer will change user passwords before forcing a system restart into safe mode to prevent user entry from the system. It then changes the notice text that appears before Windows proceeds to the login screen, instead displaying the ransom note.

The 2022 attack on Foxconn

The second time Foxconn was attacked with ransomware, it was at a different location in Mexico. Its Tijuana-based Foxconn Baja California factory was hit by ransomware in late May of 2022. This facility specialized in consumer electronics, industrial operations and medical devices, and employed roughly 5,000 people.

According to a SecurityWeek article, “The manufacturer did not say whether data was stolen during the attack, but a threat group that operates the LockBit 2.0 ransomware recently claimed the theft of data from the facility, threatening to make it public unless a ransom is paid.” LockBit is prominently known as a ransomware-as-a-service group.

LockBit ransomware works in three stages: exploit, infiltrate and deploy. According to Kaspersky, in the exploit stage, the strategy is to use social engineering tactics, such as phishing or a brute force attack. Once LockBit makes it onto a network, the ransomware prepares the system to release its encrypting payload on every device it can reach. The second stage of infiltration is the LockBit program escalating privileges, disabling security programs and searching for the correct targets. The third stage is the deployment of the encryption payload.

After the first attack, Foxconn had a recovery plan put in place, which helped keep their business on track. The impact of this attack on their systems seemed to be minimal. Whether Foxconn paid the ransom, however, hasn’t been shared to the public.

Ransomware effects

Although a massive company, Foxconn was targeted by two different ransomware groups within a few years of each other. According to a Cybersafe Solutions article, “80% of businesses that pay a ransom end up suffering a repeat attack, often from the same threat actor. Ransomware attacks prove financially and reputationally detrimental to businesses, making it vital to prepare for — and expect — a repeat attack when companies are most vulnerable: after they’ve already been hit.”

According to Ransomware: The True Cost to Business Study 2022, 73% of organizations suffered at least one ransomware attack in 2022. The study also found that 80% of organizations who paid a ransom demand were hit by ransomware a second time, with 68% saying the second attack came less than a month later and that the threat actors demanded a higher ransom amount.

If a business has already been hit with a ransomware attack, efforts should be focused on continued monitoring with the anticipation that a repeat ransomware attack is likely on the horizon. If we’ve learned anything in the past few years, it’s that viruses can find their way back again and again.




Keep your finger on the pulse of top industry news