Cyber Incident Victim: Yanfeng International Automotive Technology
Date:
Nov 2023
Location:
China
Summary
A cyberattack targeting automotive supplier Yanfeng International Automotive Technology disrupted its operations, impacting production at certain North American assembly plants of Stellantis, the manufacturer of Chrysler, Dodge, Jeep, and Ram vehicles. The incident affected the supplier's ability to deliver just-in-time components, including seats, interiors, and electronics, leading Stellantis to monitor the situation and collaborate with the supplier to minimize further operational consequences. The disruption highlighted cybersecurity risks within automotive supply chains, though specific details regarding affected production lines or locations were not disclosed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
A cyberattack targeting Yanfeng International Automotive Technology Co. Ltd., a major automotive supplier headquartered in Novi, Michigan, disrupted operations at multiple Stellantis assembly plants in North America in early November 2023. The incident became publicly acknowledged on November 13 when Stellantis confirmed production impacts stemming from the supplier’s compromised systems. Yanfeng’s website remained nonfunctional as of the evening of November 13, indicating persistent technical disruptions following the attack. The supplier provides critical just-in-time manufacturing components to automakers, including seats, interior systems, electronics, and other vehicle parts essential for assembly line operations. Stellantis, parent company of Chrysler, Dodge, Jeep, and Ram brands, experienced production halts or slowdowns at unspecified North American facilities due to parts shortages caused by Yanfeng’s inability to fulfill orders. No details were disclosed regarding the attack methodology, threat actor identity, or specific systems compromised within Yanfeng’s infrastructure.
Stellantis spokesperson Anne Marie Fortunate publicly acknowledged the production disruptions on November 13 while emphasizing collaboration with Yanfeng to minimize operational impacts. The automaker declined to identify affected plants, production lines, vehicle models, or quantify output losses. Crain’s Detroit Business first reported the supply chain disruption earlier that day, though neither Yanfeng nor Stellantis disclosed the incident’s exact start date beyond confirmation of November production impacts. The cyberattack occurred amid heightened cybersecurity concerns across Michigan’s automotive sector, coinciding with unrelated data breach lawsuits against the University of Michigan involving 230,000 compromised records. Yanfeng and Stellantis had recently pursued bankruptcy-related equipment claims against Auburn Hills supplier Unique Fabricating Inc., though no connection existed between that legal action and the cyber incident. Neither entity provided recovery timelines, forensic findings, or details regarding data compromise beyond operational disruptions to manufacturing processes.