Cyber Incident Victim: Thyssenkrupp Automotive Body Solutions
Date:
Feb 2025
Location:
Germany
Summary
Thyssenkrupp's Automotive Body Solutions business unit experienced a cyberattack involving unauthorized IT infrastructure access, prompting immediate containment by the company's security teams and precautionary system shutdowns. The incident disrupted operations at a Saarland facility with approximately 1,000 employees, though the organization maintains the situation is under control while restoring normal operations. While attack specifics remain undisclosed, the response suggests ransomware involvement, aligning with the company's history of prior cyber incidents targeting various divisions, including data theft and multiple ransomware events affecting employee information and operational systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In late January 2025, Thyssenkrupp AG disclosed a cybersecurity incident affecting its Automotive Body Solutions business unit, following the detection of unauthorized access to IT infrastructure. The company's IT security team identified the breach early, prompting immediate containment measures including the shutdown of affected systems at a Saarland-based manufacturing facility employing approximately 1,000 personnel. Corporate spokeswoman Evelin Veit confirmed collaboration between the business unit's security team and the Thyssenkrupp Group's central IT security department to neutralize the threat. The organization maintained operational continuity in other divisions while isolating compromised assets within the Automotive Body Solutions unit. Veit characterized the situation as "under control" by February 1, 2025, with recovery efforts focused on gradual restoration of normal operations. No technical specifics regarding attack vectors or perpetrator identities were disclosed, though the systemic shutdown suggested significant infrastructure compromise. Historical data indicated this marked the sixth publicly reported cyber incident targeting Thyssenkrupp entities since 2012.
The attack caused localized disruption at the Saarland production site, though the company did not quantify operational or financial impacts. This incident represented the first confirmed security breach specifically targeting the Automotive Body Solutions division, distinct from prior compromises affecting Materials Services, corporate headquarters, and North American subsidiaries. Corporate communications emphasized no evidence of enterprise-wide data exfiltration or critical infrastructure damage beyond the targeted business unit. Thyssenkrupp's response leveraged established protocols refined through previous cybersecurity incidents, including the 2016 intellectual property theft by suspected Southeast Asian actors and multiple ransomware events between 2020-2022. Investigations remained ongoing with internal security teams, though the company had not issued data exposure notifications or regulatory disclosures as of February 1, 2025. The organization's repeated targeting since 2012 underscores persistent adversarial interest in its industrial operations.