Johnson Controls Ransomware Attack: Dark Angels Demand $51m

It is now believed the September 2023 Johnson Controls ransomware attack had significant and far reaching impact, according to inside reports from the global security and smart building automation solutions provider.

The cyber attack is said to have caused serious disruption, leaving data encrypted and forcing shutdowns across the company’s IT infrastructure.

According to Bitdefender, The Dark Angels ransomware group claimed responsibility.

The group reportedly exfiltrated over 25 TB of data from Johnson Controls and is now demanding a ransom of $51m.

If the ransom is not paid, the group said it will publish the stolen data on the Dunghill Leaks site.

“We are currently experiencing IT outages that may limit some customer applications such as the Simplex Customer Portal,” said a website message from Simplex, a subsidiary of Johnson Controls.

“We are actively mitigating any potential impacts to our services and will remain in communication with customers as these outages are resolved.”

What happened during the Johnson Controls ransomware attack?

Johnson Controls, who employs over 100,000 people worldwide, specialises in producing industrial control systems, physical security alarm systems, and technology and infrastructure solutions related to facilities.

Originally established in Milwaukee but currently based in Cork, Ireland, Johnson Controls conducts substantial business with U.S. federal agencies and the defence industrial base sector.

They initially reported the incident in a filing with the Securities and Exchange Commission on September 27th.

Subsequently, concerns about the situation continued to grow in the following days.

The company has since decided not to divulge additional information regarding the incident or the ongoing investigation, instead referring to its SEC filing.

However, they did confirm that they were addressing a situation what security experts have characterised as a ransomware attack, which caused disruptions to certain internal IT infrastructure and applications.

How did Government Officials Respond?

According to a report from CNN, senior officials within the Department of Homeland Security, who have contractual agreements with Johnson Controls, were actively assessing whether the attack had jeopardised sensitive physical security data.

This included critical information such as building floor plans.

One DHS spokesperson told Cybersecurity Dive:

“We are assessing the potential impacts of this incident and implementing additional safeguards to our layered security model. This was not a breach of any DHS network or system.”

The Cybersecurity and Infrastructure Security Agency is “coordinating closely with Johnson Controls to understand impacts from this incident and provide assistance as necessary.”

Potential Knock-on Effect

Gary Barlet, who serves as the federal field CTO at Illumio, has pointed out that the possible repercussions for some of the country’s most vital infrastructure highlight a broader concern regarding the security standards maintained by government contractors.

Bartlet commented via email:

“While the government continues to talk about having government contractors meet minimum security standards, there will be little incentive for vendors to invest in the needed security until there are penalties levied against vendors who fail to do so. Accountability is key, and everyone needs to start taking this seriously.”

Other professionals within the cybersecurity industry also commented on the incident, including CyberSheath CEO Eric Noonan who stated:

“Size, scale and deep penetration into the defense industrial base sector might be expected to have the resources to successfully defend against this kind of attack. One way or another, this ties back to the need to enforce minimum cybersecurity standards across the Department of Defense’s global supply chain.”

Noonan concluded by stating “These mandatory minimum cybersecurity requirements exist in well over one million DoD contracts but what’s missing is an enforcement mechanism.”

Who was behind the Johnson Controls ransomware attack?

Johnson Controls has not officially identified the responsible party behind the attack.

However, Gameel Ali, a threat researcher at Nextron Systems, shared code on Twitter that includes a ransom note attributing the attack to a group known as Dark Angels.

The ransomware group, which surfaced for the first time in May 2022, has a history of crafting ransomware variants by repurposing leaked or existing code.

SentinelOne researchers have noted their past targeting of organisations in the healthcare, government, finance, and education sectors.

Alex Delamotte, a senior threat researcher at SentinelOne, expressed that the ransom note “contains an onion link to the Dunghill Leaks site”, which has ties to Dark Angels.

However, it’s important to mention that as of now, Dunghill Leaks does not display any data linked to Johnson Controls.