Cyber Incident Victim: Rheinmetall AG
Date:
Sep 2019
Location:
Germany
Summary
A malware infection caused significant production disruption at a German car parts manufacturer's plants in Brazil, Mexico, and the United States, leading to projected weekly losses of €3-4 million and a drop in company shares. The incident prompted an estimated recovery period of two to four weeks, though the specific malware type and responsible threat actor remained unidentified. The attack exclusively impacted operational technology systems in the affected facilities without spreading to the parent company's broader IT infrastructure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On September 26, 2019, Rheinmetall Automotive disclosed that malware infections detected since late September 24 had caused significant operational disruptions across manufacturing plants in Brazil, Mexico, and the United States. The attack forced production halts at affected facilities, with the company stating the full recovery timeline remained unpredictable but estimating disruptions could persist between two to four weeks. Parent company Rheinmetall Group projected financial losses of €3-4 million ($3.28-$4.38 million) per week beginning the following week, attributing this solely to the incident's impact on its automotive subsidiary. The malware exclusively targeted Rheinmetall Automotive's operational technology environments, with no observed compromise of Rheinmetall Group's IT infrastructure outside the three impacted countries. Facilities produced critical automotive components including pistons, engine blocks, and emissions control systems for major manufacturers, though specific customer delivery interruptions were not detailed.
The incident triggered an immediate decline in Rheinmetall Group's stock value when markets reopened following the disclosure. Company representatives declined to identify the malware variant or attribute the attack to any specific threat actor, providing no details about intrusion vectors or data compromise. Industry analysts contextualized the event within broader manufacturing sector vulnerabilities, noting increased exposure from digitization trends and widespread reliance on legacy industrial control systems resistant to security updates. The disruption drew comparisons to the March 2019 LockerGoga ransomware attack against Norwegian aluminum producer Norsk Hydro, which similarly forced temporary production stoppages and manual operation transitions. Rheinmetall's public communications emphasized containment efforts were ongoing but offered no technical specifics regarding malware eradication or restoration progress beyond the initial disruption timeframe.