Cyber Incident Victim: Weir Group
Date:
Sep 2021
Location:
United Kingdom
Summary
A multinational engineering firm experienced a sophisticated ransomware attack, prompting immediate cybersecurity measures that isolated critical IT systems including enterprise resource planning and engineering applications. The incident caused significant temporary operational disruptions impacting shipments, manufacturing, and engineering activities, resulting in £50 million in deferred revenue and overhead under-recoveries during the attack month. While facilities remained operational with no immediate order cancellations, recovery efforts prioritized partial system restoration over subsequent weeks, though residual effects were expected to delay some fourth-quarter revenue into the following year alongside ongoing overhead challenges. Customer impacts were mitigated through responsive team efforts while maintaining focus on secure infrastructure restoration and resilience improvements.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Weir Group, a Scottish multinational engineering firm, experienced a ransomware attack in the second half of September 2021, as disclosed in a Q3 trading statement on October 8, 2021. The company characterized the incident as a "sophisticated attempted ransomware attack" that prompted immediate defensive measures. Cybersecurity systems and controls were activated rapidly, leading to the isolation and shutdown of critical IT infrastructure, including core Enterprise Resource Planning (ERP) systems and engineering applications. This containment strategy caused significant temporary operational disruption across the organization. Despite the attack, all facilities remained operational during Q3, with no reported impact on order intake for that quarter. Customer impacts were actively mitigated, though the company acknowledged challenges in maintaining seamless service delivery during the system outages.
The incident resulted in substantial operational consequences, including disruptions to shipments, manufacturing processes, and engineering activities. These interruptions led to £50 million in overhead under-recoveries and deferred revenue for September 2021 alone. While most delayed September shipments were expected to be fulfilled in Q4, the company projected residual effects would cause some Q4 revenue slippage into 2022, alongside continued overhead under-recovery. Restoration efforts focused on gradually reinstating partial system capabilities based on business priority, with full recovery expected to extend beyond the immediate quarter. Chief Executive Jon Stanton confirmed the attack originated externally and praised staff for minimizing customer impact despite infrastructure protection measures causing widespread temporary disruption. The company declined to disclose additional details regarding attacker identity or ransom demands when queried by media outlets.