Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

12/8/2016
03:40 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Data Theft At ThyssenKrupp Highlights Industrial Espionage Threat

German conglomerate confirms it was a victim of a cyberattack in which intellectual property belonging to some of its businesses was stolen.

In recent years, data breaches involving theft of financial and personal information have outnumbered cyber incidents involving theft of intellectual property and trade secrets.

But news this week of a massive data theft at German conglomerate ThyssenKrupp AG and of similar thefts at multiple major US law firms show that cyber espionage poses as critical a threat to organizations as ever.

ThyssenKrupp, best known as one of the largest steelmakers in the world, Thursday said unknown intruders apparently from southeast Asia had broken into some of its systems and stolen intellectual property belonging to some of its businesses.

In a statement, the $14 billion conglomerate identified the impacted areas as its Industrial Solutions group and Steel Europe AG.

ThyssenKrupp’s industrial solutions group employs some 19,000 people worldwide and helps build industrial plants for companies in varied industries such as chemical, oil, and mining. The 27,000-employee Steel Europe group, meanwhile, is one of the world’s leading suppliers of flat steel and accounted for some $8 billion of ThyssenKrupp’s overall revenues last year.

In the statement, ThyssenKrupp said "fragments of data," including certain project data from one of its engineering companies, had been stolen from both of the impacted businesses. But the exact nature of the data that was stolen or the extent of the theft remains unclear, it added.

Investigations show that none of ThyssenKrupp’s other operations—especially critical ones such as its ship- and submarine-building Marine Systems group and production systems handling power plants and blast furnaces—were impacted.

ThyssenKrupp’s computer emergency response team and CIOs from all business groups have been involved in the response. All affected systems have been repaired and the company has implemented around the clock monitoring of its networks for new attacks, the company said.

The data theft, especially from ThyssenKrupp’s steel business, has sparked some speculation on the threat actors behind it and their likely motives.

Robert Lee, CEO of industrial control system (ICS) security vendor Dragos Inc., via a series of Twitter posts today said the theft suggests the involvement of a large group with a full-time focus and direct industry connections. "Steel production has more trade secrets than folks realize and is very competitive," Lee tweeted. "Germany is known for having some of worlds best steel."

Andrea Carcano, founder of Nozomi Networks a company that specializes in ICS security, speculated that the threat actors might have had a multi-step attack in mind. The goal might have been to steal IP such as design and production information, and then to use it to plan a more devastating attack in future.

The ThyssenKrupp incident is the second time in recent years that a German steel manufacturer has been the victim of a cyberattack, Carcano said. In December 2014, unknown attackers disrupted operations at another German steel maker by breaking into the control systems of the mill’s blast furnace and triggering a massive fire.

It is also possible that the ThyssenKrupp attackers stole the data to improve their own business capabilities in order to better compete, or to get a look at ThyssenKrupp's plans, Carcano told Dark Reading.

The attacks also suggest the threat actors are sophisticated, he says. "This wasn’t Shamoon 2, which could have been achieved by people with low technology skills, and which occurred quickly. This attack took skill, organization and planning and it occurred over time."

Meanwhile, Fortune this week said that documents in its possession show that attackers with connections to the Chinese government were responsible for a series of data thefts from senior partners working at multiple major law firms last year.

The Wall Street Journal, which first reported the thefts in March, had identified the victims as law firms working for major US corporations. The paper had speculated that the thefts were carried out to facilitate massive insider trading.

In its report this week, Fortune said the data it has reviewed reliably shows Chinese government involvement in the data thefts.

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19040
PUBLISHED: 2019-11-17
KairosDB through 1.2.2 has XSS in view.html because of showErrorMessage in js/graph.js, as demonstrated by view.html?q= with a '"sampling":{"value":"<script>' substring.
CVE-2019-19041
PUBLISHED: 2019-11-17
An issue was discovered in Xorux Lpar2RRD 6.11 and Stor2RRD 2.61, as distributed in Xorux 2.41. They do not correctly verify the integrity of an upgrade package before processing it. As a result, official upgrade packages can be modified to inject an arbitrary Bash script that will be executed by th...
CVE-2019-19012
PUBLISHED: 2019-11-17
An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or ...
CVE-2019-19022
PUBLISHED: 2019-11-17
iTerm2 through 3.3.6 has potentially insufficient documentation about the presence of search history in com.googlecode.iterm2.plist, which might allow remote attackers to obtain sensitive information, as demonstrated by searching for the NoSyncSearchHistory string in .plist files within public Git r...
CVE-2019-19035
PUBLISHED: 2019-11-17
jhead 3.03 is affected by: heap-based buffer over-read. The impact is: Denial of service. The component is: ReadJpegSections and process_SOFn in jpgfile.c. The attack vector is: Open a specially crafted JPEG file.