Cyber Incident Victim: ThyssenKrupp AG
Date:
Feb 2016
Location:
Germany
Summary
Hackers infiltrated a major industrial corporation's systems, targeting its division responsible for constructing large industrial plants and stealing trade secrets from multiple business units before detection. The breach impacted operations across several continents, with attackers believed to be operating from Southeast Asia; the company filed a criminal complaint and collaborated with authorities. This incident followed prior cyberattacks against the organization and other German industrial entities, including one causing physical damage to manufacturing equipment.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In February 2016, hackers infiltrated ThyssenKrupp AG's computer systems, initiating a covert espionage operation that remained undetected until April. The attackers specifically targeted the company's Industrial Solutions division, focusing on the unit responsible for constructing large-scale industrial plants. The breach impacted ThyssenKrupp operations across multiple geographic regions, including facilities in the United States, Europe, Asia, and Argentina. During the two-month intrusion period, attackers successfully exfiltrated data records from several business units before their activities were discovered and halted. ThyssenKrupp confirmed the theft of trade secrets and proprietary information related to industrial plant construction. The company filed a criminal complaint following the discovery and collaborated with German law enforcement agencies to investigate the breach's origins and methods. Initial investigations suggested the attackers operated from Southeast Asia, though no specific nation-state or group was officially identified in connection with this incident.
This breach represented at least the second major cyberattack against ThyssenKrupp, following a 2012 compromise that also affected European defense contractor EADS, with those earlier attacks traced to Chinese systems. The company's status as a multinational industrial conglomerate with €42 billion (approximately $45 billion) in annual revenue across diverse sectors including elevator manufacturing, shipbuilding, and logistics made it a high-value target for espionage. The incident occurred within a broader pattern of cyberattacks against German industrial targets, most notably a December 2014 attack on an unnamed German steel mill where hackers caused physical damage to a blast furnace. While the 2016 ThyssenKrupp breach did not result in physical infrastructure damage, it demonstrated continued interest in German industrial trade secrets by sophisticated threat actors. The company's response focused on forensic investigation through law enforcement channels rather than public disclosure of technical specifics regarding compromised systems or data volumes.