Cyber Incident Victim: Hon Hai Precision Industry Co., Ltd.
Date:
May 2022
Location:
Mexico
Summary
A ransomware attack targeted a Foxconn manufacturing facility in Mexico, disrupting production at the strategic Tijuana plant serving as a critical supply hub for the U.S. market. The LockBit ransomware gang claimed responsibility, threatening to leak stolen data unless a ransom was paid, though the company maintained minimal operational impact and activated recovery protocols. This marked the second ransomware incident affecting the manufacturer’s Mexican operations in under two years, following an earlier attack by the DoppelPaymer group that resulted in significant data encryption and backup destruction. Production adjustments were implemented to mitigate business disruptions while systems were restored.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In late May 2022, Foxconn’s manufacturing facility in Tijuana, Mexico, suffered a ransomware attack that disrupted production operations. The company confirmed the incident publicly on June 2, acknowledging the attack occurred at one of its three Mexican plants, which produce electronics including computers, LCD TVs, mobile devices, and set-top boxes for clients such as Sony, Motorola, and Cisco Systems. The LockBit ransomware operation claimed responsibility for the attack on May 31 by threatening to leak stolen data unless Foxconn paid a ransom by June 11, indicating ongoing negotiations at the time of reporting. Foxconn did not disclose the specific ransom demands or whether data was exfiltrated, though LockBit typically targets intellectual property and sensitive corporate information to pressure victims. The Tijuana facility, described as a critical supply hub for California’s electronics market, experienced operational interruptions that required production capacity adjustments to manage the disruption. Foxconn’s cybersecurity team activated a pre-established recovery plan, gradually restoring normal operations while assuring stakeholders the incident would have minimal impact on overall group activities.
This marked the second ransomware attack on Foxconn’s Mexican operations within two years, following a December 2020 incident at its Ciudad Juárez facility where the DoppelPaymer gang encrypted 1,200–1,400 servers, destroyed 20–30TB of backups, and demanded a $34 million ransom after stealing 100GB of data. In the 2022 attack, Foxconn prioritized transparency by providing immediate updates to management, clients, and suppliers but withheld technical details about compromised systems or data types. The company emphasized operational resilience through existing contingency measures, avoiding disclosure of recovery timelines or financial losses. LockBit’s public extortion attempt reflected its pattern of targeting high-revenue organizations, though Foxconn’s response suggested confidence in mitigating long-term consequences through logistical adaptations rather than capitulating to ransom demands.