Cyber Incident Victim: Fincantieri Marinette Marine
Date:
Apr 2023
Location:
United States of America
Summary
A ransomware attack struck Fincantieri Marinette Marine, a US Navy contractor, disrupting its network operations and email servers. The incident rendered data on network servers unusable, which specifically impacted critical computer numerical control manufacturing machines and caused a temporary delay in ship construction. The company immediately isolated the affected systems, initiated an investigation, and reported the incident to relevant authorities while continuing repair and construction operations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On April 12, 2023, the Wisconsin-based shipyard Fincantieri Marinette Marine, a subsidiary of Fincantieri Marine Group (FMG) and part of Italy's Fincantieri SpA, experienced a significant cybersecurity incident. The attack occurred in the early morning hours and was identified as a ransomware event. The company's network security officials responded immediately by isolating the affected computer systems to prevent the attack from spreading further across the network. This action was a primary containment step taken to limit the scope of the disruption. FMG also promptly reported the incident to relevant government agencies and partners following the discovery.
The ransomware attack had a direct and substantial impact on the shipyard's operational technology. Attackers targeted network servers, rendering large chunks of data stored on them unusable. This data was critical as it contained the instructions fed to the shipyard's Computer Numerical Control (CNC) manufacturing machines. These CNC machines form the backbone of modern manufacturing at the facility, taking design specifications and sending precise instructions to essential equipment such as welders, cutters, bending machines, and other computer-controlled tools. The encryption of this data knocked the critical CNC machines offline for several days, causing a direct disruption to the physical manufacturing and construction processes.
The primary consequence of this operational disruption was a delay in production across the entire shipyard. Fincantieri Marinette Marine is a key contractor for the U.S. Navy, currently under contract to build the Constellation-class guided-missile frigate and the Freedom-variant Littoral Combat Ship (LCS). The shipyard is also constructing Multi-Mission Surface Combatants for the Royal Saudi Navy. The cyber attack resulted in a short-term delay to the construction programs for the frigate and the Freedom LCS. Despite the attack, repair and construction operations continued at all three of Fincantieri's U.S. shipyards, though the work was impeded by the loss of network functionality.
Beyond the manufacturing floor, the incident caused a temporary disruption to the company's email server and some broader networked operations. These systems remained offline for a period following the attack. The company brought in additional external resources to assist with the investigation into the incident and to work on restoring full functionality to all affected systems as quickly as possible. The investigation aimed to determine the full scope of the breach and the methods used by the attackers.
A key point of uncertainty following the attack was whether any data was exfiltrated. Based on information from the Navy, it remained unclear if the attackers had stolen any data. Fincantieri Marine Group itself stated that it had no evidence that employees’ personal information was affected by the breach. The company declined to elaborate beyond its initial official statement, which characterized the event as causing a temporary disruption.
The U.S. Navy was made aware of the cyber incident involving its contractor. In its own statement, the Navy acknowledged that FMG, as the parent company of Fincantieri Marinette Marine, had contracts to build significant vessels for the fleet. The Navy stated it was actively monitoring FMG's response efforts, which included the measures taken to prevent further incursions and the required response, remediation, and reporting actions mandated for federal contractors. Prime contractor Lockheed Martin also acknowledged the constant threats faced from sophisticated adversaries around the world and the regular actions taken to increase system security.
The disruption highlighted the potential impact of cyber attacks on industrial control systems and operational technology within the defense industrial base. By targeting the servers that controlled manufacturing instructions, the attack directly translated a digital security event into a tangible physical production delay. The incident demonstrated that even in cases where data theft may not occur, the encryption and disruption of operational data can have significant operational and financial implications for critical manufacturing infrastructure. The restoration of systems was a gradual process; as of the afternoon of April 20, some of the crucial CNC machines at the Marinette shipyard had been returned to an operational state, allowing production to resume more fully.