Cyber Incident Victim: ABB

On or around May 7, 2023, the Swiss multinational technology company ABB suffered a significant cybersecurity incident. The company, a leading provider of electrification and automation technologies, confirmed it had detected an IT security incident that directly impacted certain locations and systems. The attack was attributed to the Black Basta ransomware group, a cybercrime operation that first surfaced in April 2022 and is known for its double-extortion tactics. The group operates a Ransomware-as-a-Service (RaaS) model and has been linked by researchers to the financially motivated FIN7 hacking group, also known as Carbanak.

Initial reports from within the company, as confirmed by the IT news outlet BleepingComputer, indicated the ransomware attack had successfully compromised ABB’s Windows Active Directory. This compromise had a widespread effect, impacting hundreds of devices across the corporate network. In an immediate response to contain the threat and prevent further lateral movement or the potential spread of the ransomware to external networks, ABB made the decision to terminate its VPN connections with customers. This action was a critical containment measure aimed at isolating the affected portions of its own network and protecting the infrastructure of its clients and partners.

The incident caused notable disruptions to ABB's business operations. The company acknowledged that the containment measures it implemented resulted in operational interruptions. These disruptions delayed ongoing projects and impacted the functionality of several of its factories. While the exact number of affected facilities was not specified, internal sources indicated that multiple systems and factories were involved. The company's initial public response was characterized by a high degree of caution. When first contacted for comment, ABB's press team delayed its response for 24 hours and initially declined to provide any information. Furthermore, an employee who had initially spoken to the media about internal IT problems later retracted their statements, claiming the information was a joke, which suggested an internal directive to limit public discussion of the event.

Despite the initial reluctance to publicly confirm the attack, ABB eventually issued a formal statement. The company outlined the steps it was taking, noting that it had implemented and continued to maintain measures to contain the security incident. ABB stated that the vast majority of its systems and factories were back in operation and that it continued to serve its customers securely. The company emphasized its ongoing efforts to work diligently with customers and partners to resolve the situation and minimize its impact. The attack's occurrence was particularly sensitive for ABB, given its role as a developer of industrial control systems (ICS) and SCADA systems for manufacturing and energy suppliers. The company itself routinely warns of cyber dangers for industrial processes, making the breach a significant event.

The Black Basta group's involvement was confirmed by multiple sources. This ransomware operation is known for its aggressive tactics and has been responsible for attacks on numerous high-profile organizations since its inception, including the American Dental Association, Sobeys, Knauf, and Yellow Pages Canada. The group is also noted for its technical capabilities, having developed a Linux encryptor specifically designed to target VMware ESXi virtual machines running on Linux servers, which are common in enterprise environments. By June 2022, Black Basta had established a partnership with the QBot malware operation (QakBot), which was used to deploy Cobalt Strike beacons on infected devices, providing the threat actors with a powerful tool for lateral movement and persistence within a compromised network.

The primary impact of the incident was operational disruption. The necessity to take systems offline for containment and recovery caused delays and interruptions. The company's decisive action to sever VPN links, while crucial for containment, would have also temporarily affected its ability to remotely service and support its customers. ABB's extensive work with various customers and local governments, including Volvo, Hitachi, DS Smith, the City of Nashville, and the City of Zaragoza, meant the disruption had potential ripple effects beyond its own organization. Furthermore, ABB's operations with U.S. federal agencies, including the Department of Defense entities like the U.S. Army Corps of Engineers and civilian agencies such as the Departments of Interior, Transportation, Energy, the United States Coast Guard, and the U.S. Postal Service, highlighted the critical nature of its infrastructure and the importance of securing its systems.

The company's response followed a standard incident response protocol focused on containment, eradication, and recovery. The first step was the implementation of containment measures, which included the disconnection of vulnerable network segments and the termination of external VPN access. These actions were successful in preventing the ransomware from spreading to other networks, particularly those belonging to customers. Following containment, the focus shifted to restoring affected systems and returning operations to normal. ABB reported that it was able to bring the majority of its systems and factories back online relatively quickly, though some disruptions persisted as the company continued its remediation efforts. The restoration process involved addressing the compromised Active Directory and cleaning hundreds of impacted devices. The company’s public communications stressed a return to normal operations and a secure service delivery model for its customers, aiming to reassure stakeholders and maintain business continuity following the attack.