Cyber Incident Victim: Advantech
Date:
Nov 2020
Location:
Taiwan
Summary
Advantech, a major IoT and industrial computing manufacturer, suffered a ransomware attack involving data theft and system encryption by the Conti ransomware group. The attackers demanded 750 Bitcoin (approximately $14 million) for decryption keys and deletion of stolen confidential documents, which the company characterized as low-value despite their sensitivity. Conti leaked a small sample of the data and claimed it would remove backdoors while offering security guidance upon payment, though industry reports indicate such promises are not always honored. The incident impacted some servers, but core operations remained functional. Conti, linked to earlier Ryuk ransomware and distributed via TrickBot infections, operates as a private ransomware-as-a-service platform targeting corporate networks for lateral movement and credential compromise.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around November 21, 2020, Advantech, a global industrial automation and IoT chip manufacturer, suffered a ransomware attack conducted by the Conti ransomware gang. The attackers encrypted systems and exfiltrated confidential company documents, later demanding a $14 million ransom (750 BTC) for decryption keys and deletion of stolen data. Conti provided proof of their capability by offering to decrypt two files prior to payment and published a 3.03GB sample archive containing approximately 2% of the stolen data on their leak site. This archive included a text document listing filenames within the compressed data. The gang threatened to release additional data unless the ransom was paid, while also promising to remove backdoors and provide security recommendations upon payment. Advantech confirmed the incident through a spokesperson, characterizing the stolen data as confidential but of low operational value, and stated that while some servers were compromised, core operating systems remained functional. The company did not disclose whether it engaged in negotiations or paid the ransom.
The Conti operators breached Advantech’s network using techniques involving lateral movement to obtain domain administrator credentials before deploying ransomware payloads. Conti, which emerged in late 2019 and intensified operations by mid-2020, operated as a private Ransomware-as-a-Service (RaaS) model recruiting experienced hackers. The group shared code with Ryuk ransomware and leveraged TrickBot malware infections for initial access, particularly after Ryuk’s activity declined in July 2020. Advantech, with over 8,000 employees and $1.7 billion in 2019 revenue, faced potential operational disruption from encrypted systems, though critical infrastructure reportedly continued functioning. The attackers claimed their ransom would cover decryption, data deletion, and network remediation, though third-party analyses by firms like Coveware indicated some ransomware groups fail to delete data post-payment. No public statements from Advantech detailed containment measures, recovery timelines, or forensic findings beyond the initial confirmation of the attack’s limited impact on operations.