Cyber Incident Victim: Robotron
Date:
Mar 2021
Location:
Netherlands
Summary
A critical backup server software was compromised through a malicious update containing BlockKopieren ransomware, initially targeting corporate backup servers to encrypt data before executing standard ransomware operations. The vendor attributed the compromise to a prior breach of their corporate design system during the SolarWinds incident, though investigators suggested potential exploitation of known vulnerabilities rather than direct involvement by the original SolarWinds attackers. Security authorities mandated immediate discontinuation of the affected software across critical infrastructure facilities, with early reports indicating impacts on a small Dutch company and potential European manufacturing disruptions, though no U.S. incidents were confirmed at the time.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On March 7, 2021, the Critical Infrastructure Security Operations Sector (CI-SOC) issued an emergency directive ordering all protected facilities to immediately cease using Robotron's Werkzeugkasten backup servers. CI-SOC Director General Buck Turgidson disclosed that a routine automatic update for the backup server software had delivered BlockKopieren ransomware, which first encrypted corporate backup servers before initiating standard ransomware encryption processes. Robotron had notified CI-SOC the previous night about the first confirmed attack on a small Netherlands-based company. Turgidson emphasized the widespread adoption of Werkzeugkasten servers among CI-SOC-protected facilities as ransomware mitigation infrastructure, heightening concerns about potential cascading impacts. Robotron spokesperson Erich Mielke confirmed the malicious update originated from their systems and attributed the compromise to lingering vulnerabilities from the SolarWinds supply chain attack, which had previously breached their corporate design systems. This marked the first documented instance of malware deployment through Robotron's update mechanism following the SolarWinds incident.
Dragonfire Cyber CTO Dade Murphy observed that the ransomware deployment would represent a significant escalation from typical SolarWinds attacker behavior, which had previously focused on intelligence gathering rather than destructive payloads. Murphy noted nation-state actors generally avoid ransomware tactics, with North Korea being a rare exception, though investigators had excluded North Korean involvement in SolarWinds. An unnamed CI-SOC investigator corroborated this assessment, suggesting attackers might have exploited SolarWinds-related vulnerabilities disclosed in public reports to infiltrate Robotron's systems, but explicitly stated investigators did not attribute the ransomware campaign to the original SolarWinds threat group. While no public reports of BlockKopieren infections had surfaced by the morning of March 7, Murphy disclosed receiving assistance requests from European manufacturers experiencing unspecified software anomalies, prompting Dragonfire Cyber to deploy investigation teams. CI-SOC maintained its preventive shutdown order pending further analysis of the compromised update mechanism and malware behavior.