Cyber Incident Victim: Continental AG
Date:
Jul 2022
Location:
Germany
Summary
A cyberattack targeting Continental involved unauthorized access to its IT systems, with attackers remaining undetected for approximately four weeks before anomalies were identified. The intrusion, attributed to the LockBit group, resulted in the theft of over 40 terabytes of data, though no encryption occurred and business operations remained unaffected throughout. Initial access was gained via disguised malware inadvertently executed by an employee. The company refused ransom demands, citing ethical concerns and alignment with governmental recommendations against funding criminal activities. Forensic investigations with external experts are ongoing to determine the scope of stolen data, including potential exposure of employee information, while authorities and stakeholders remain informed. No evidence of data manipulation or third-party system compromise has been identified.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The cyber incident affecting Continental AG began on July 1, 2022, when attackers initially accessed the company's IT systems. Continental detected anomalies in its IT infrastructure on August 4, 2022, prompting immediate engagement with external cybersecurity experts to deploy protective measures. By August 5, 2022, all attacker activity within Continental's systems ceased, with no subsequent malicious actions observed. The company formally notified investigative authorities that same day. Forensic analysis revealed the attackers operated undetected for approximately four weeks, leveraging disguised malware that an employee inadvertently executed. No encryption of systems occurred during the intrusion, and Continental maintained full operational control throughout the incident, ensuring business activities remained unaffected. Third-party IT systems also showed no signs of compromise according to available information.
In mid-September 2022, the LockBit ransomware group contacted Continental, though the company terminated communications promptly. LockBit escalated demands in November, first offering to delete or sell stolen data for $50 million on November 9 before reducing the amount to $40 million by November 29. The group published a data inventory list on November 10 but did not disclose actual file contents. Continental confirmed the theft of over 40 terabytes of data but found no evidence of data manipulation or product compromise. The company refused ransom payments, citing ethical objections to funding criminal enterprises and alignment with recommendations from German authorities including the Federal Office for Information Security. An extensive forensic investigation, supported by a prominent audit firm, remains ongoing to analyze the stolen data's composition and sensitivity, prioritizing GDPR compliance for potential employee data exposure. Continental established dedicated internal communication channels, including intranet updates and town hall meetings, to inform stakeholders while coordinating continuously with national and international security agencies. The data review process faces significant complexity due to the volume of exfiltrated information and legal constraints, with no definitive timeline for completion.