Industrial automation giant ABB disclosed data breach after ransomware attack

Swiss electrification and automation technology giant ABB confirmed it has suffered a data breach after a ransomware attack.

ABB has more than 105,000 employees and has $29.4 billion in revenue for 2022. On May 7, 2023, the Swiss multinational company, leading electrification and automation technology provider, suffered a cyber attack that reportedly impacted its business operations.

The news of the attack was first reported by BleepingComputer, which is aware that the attack impacted the company’s Windows Active Directory, with hundreds of devices that were infected.

BleepingComputer reported that the attack was carried out by the Black Basta ransomware group, some of the projects were delayed and the attack impacted some of the company factories.

However, Black Basta did not add the name of the company to its leak website, a circumstance that suggests that there is an ongoing negotiation, or that they paid the ransom as reported by the popular cybersecurity expert Kevin Beaumont.

Once discovered the security breach, ABB closed VPN connections with its customers to prevent the threat from spreading.

According to a press release published by the company, threat actors had unauthorized access to certain ABB systems, deployed a ransomware payload, and stole certain data.

“ABB has determined that an unauthorized third-party accessed certain ABB systems, deployed a type of ransomware that is not self-propagating, and exfiltrated certain data. The company is working to identify and analyze the nature and scope of affected data and is further assessing its notification obligations.” reads the press release. “ABB will communicate with affected parties where necessary, including, for example, specific customers, suppliers, and/or individuals where personally identifiable information was affected.”

ABB added that the investigation is still ongoing and that it is working with cybersecurity experts to determine the extent of the impact. 

ABB confirmed that the attackers accessed portions of its network and deployed a human-operated ransomware to steal certain data. The attackers had access to a limited number of servers and endpoints.

The company has fully recovered from the security breach, all factories are operating.

“All of ABB’s key services and systems are up and running, all factories are operating, and the company continues to serve its customers. The company also continues to restore any remain- ing impacted services and systems and is further enhancing the security of its systems,” continues the press release.

The company will share information regarding the incident, including indicators of compromise.

Black Basta has been active since April 2022, like other ransomware operations, it implements a double-extortion attack model.  

In November 2022, Sentinel Labs researchers reported having found evidence that links the Black Basta ransomware gang to the financially motivated hacking group FIN7.

In November 2022, experts at the Cybereason Global SOC (GSOC) team observed a surge in Qakbot infections as part of an ongoing aggressive Qakbot malware campaign that leads to Black Basta ransomware infections in the US.

In two weeks, the experts observed attacks against more than 10 different US-based customers

The attack chain starts with a QBot infection, The operators use the post-exploitation tool Cobalt Strike to take over the machine and finally deploy the Black Basta ransomware. The attacks began with a spam/phishing email containing malicious URL links.

The researchers noticed that once obtained access to the network, the threat actor moves extremely fast. In some cases observed by Cybereason, the threat actor obtained domain administrator privileges in less than two hours and moved to ransomware deployment in less than 12 hours.

In April 2023, the ransomware group hit the UK outsourcing giant Capita.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ABB)