Q4 2024 – a brief overview of the main incidents in industrial cybersecurity

In Q4 2024, 107 incidents were publicly confirmed by victims. All of these incidents are included in the table at the end of the overview, with select incidents described in detail.

Report at a glance

• Total of 107 incidents publicly confirmed by victims.
• At least half of the victims (50%) were affected by a ransomware attack.
• 12% of all victims reported a denial of operations and 19% reported a denial of IT systems as a result of an incident.
• Countries with the highest number of reported incidents:
  • USA: 81% (87 incidents)
  • Germany: 6% (7 incidents)
  • Japan: 4% (4 incidents)
• This quarter, we saw incidents in certain countries where we rarely see public confirmation of incidents: Costa Rica, Luxembourg, Latvia, Burkina Faso, and Pakistan.
• We’d like to draw special attention to the following:
  • We know that cyberattacks harm businesses. Combined with other kinds of problems, a cyber incident can push company management over the edge to announce insolvency. Two such announcements were made this quarter, both victims manufacturing companies (one from Germany and the other from the U.S.).
  • Cyberattacks on key product or material suppliers may have consequences potentially devastating for the entire sector. In one case, incident responders claimed they had contained the incident impact and prevented major devastation.
  • Significant cybersecurity resources don’t always mean the company can relax. Two major brands confirmed they had been hacked this quarter, confirming no one is 100% secure.
  • At least three organizations related to critical infrastructure experienced denial of internal and public services as the result of an attack. In one case, the utility had to switch to manual operations.
  • An attack on a fleet management product and service provider led to denials of service to its customers, one of which was the British DHL subsidiary.
  • Trains were delayed and certain digital customer services disrupted because of an attack on a Pittsburg public transportation company.
• For the full list of incidents confirmed by victims in Q4 2024, please refer to the Appendix.

Attacks leading to insolvency

Kreisel

Manufacturing | Denial of operations, insolvency | Ransomware

German bulk material handling company Kreisel GmbH & Co. filed for insolvency on November 19, 2024. The company’s current financial difficulties are primarily due to increased financing costs and a deterioration in earnings due to the consequences of COVID, an increase in raw material and energy prices, and a cyberattack that occurred in February. The cyberattack limited the company’s ability to operate for several weeks in the first quarter of 2024. According to German press, the blackmail letter was sent by fax and the company didn’t pay the ransom. No other details are known about the cyberattack or which group claimed responsibility.

Stoli Group

Manufacturing, food and beverage | Denial of operations, denial of IT services, data leakage, bankruptcy | Ransomware

Stoli Group USA and Kentucky Owl, U.S.-based subsidiaries of the Luxembourg-based vodka manufacturer Stoli Group, filed for Chapter 11 bankruptcy on November 29, months after a ransomware attack disrupted their operations. In August 2024, Stoli Group’s IT infrastructure suffered severe disruption in the wake of a data breach and ransomware attack. The attack caused substantial operational issues throughout all companies within the Stoli Group, including Stoli USA and Kentucky Owl, due to Stoli Group’s enterprise resource planning (ERP) system being disabled and most of Stoli Group’s internal processes (including accounting) needing to be carried out manually. According to the filing, these systems will be fully restored no earlier than Q1 2025, and the cyberattack was among several factors leading the companies to seek relief. The incident also prevented Stoli U.S. subsidiaries from providing financial reports to lenders.

Biggest impact prevented by responders

TetraSoft

Energy, mining | Denial of operations and services, supply chain / trusted partner 

A targeted cyberattack on TetraSoft, a Russian company that provides remote monitoring of hydrocarbon production and drilling, was detected and stopped. The Positive Technologies expert security center team investigated and responded to the incident, thus preventing any impact on the Russian mining industry. The incident was classified as a supply chain attack targeting the mining industry. If successful, the attack could have potentially resulted in interruptions in hydrocarbon supplies under domestic and international contracts. The investigation revealed that initial penetration took place in July 2024, with the first attacker activities in the systems dating back to late September and early October 2024. The attack was carried out using a set of utilities, including remote access control and remote server management tools. Direct damage from downtime at TetraSoft is estimated at over RUB 65 million, and the cost of restoring internal services have already exceeded RUB 25 million. The company did not consider this figure to be final.

Incidents at large organizations

Schneider Electric

Energy, manufacturing | Personal data leakage | Ransomware

On November 4, French energy management and automation solutions company Schneider Electric confirmed a cyberattack involving unauthorized access to one of its internal project execution tracking platforms hosted in an isolated environment following claims by the Grep (Hellcat) group of an incident involving the theft of 40 GB and a ransom demand. Schneider Electric launched an investigation into the incident and audited its internal platforms. The company said its products and services remained unaffected. In a conversation with BleepingComputer, Grep group said they breached Schneider Electric’s Jira server using exposed credentials. Once they gained access, they claimed to use a MiniOrange REST API to scrape 400,000 rows of user data, which Grep said includes 75,000 unique email addresses and full names for Schneider Electric employees and customers.

Medion

Manufacturing, electronics | Denial of operations, denial of IT systems, data leakage | Ransomware

German electronic products supplier Medion AG, a subsidiary of Lenovo, a Chinese multinational technology company, became the target of a cyberattack. The Black Basta ransomware group claimed responsibility for the attack on Medion on December 18. The attackers claimed on their data leak website to have stolen around 1.5 TB of data, including financial and accounting data, project files, development data and personal data of employees. Medion initially acknowledged an IT incident caused by unknown external attackers in a statement on November 28, but later deleted it. It said that internal systems and its store activities were partially affected. The team worked with external specialists to resolve the situation, clean up the systems, and clarify the causes. The company was in close contact with the responsible authorities but was only available by telephone to a limited extent and written inquiries couldn’t be processed. On December 20, Medion sent a statement to the Golem.de editorial team that the company had experienced IT disruptions on November 26 due to a ransomware attack that partially affected internal systems and shop operations for a few days. The BKA and Cologne public prosecutor’s office investigated the case. It has been established that a criminal cyber group had penetrated parts of Medion’s IT system and exfiltrated company data. Although some data was published on the darknet, it was not personal customer data, according to the company’s statement. On December 20, the company issued a statement on its website informing that its IT systems were fully operational again following the disruption, the company was fully available by phone, and written inquiries will also be answered again. The delivery of orders could be subject to delays.

Critical infrastructures under attack

Brazil Saneamento Básico do Estado de São Paulo

Water supply, utility | Denial of IT systems and services | Ransomware

The Saneamento Básico do Estado de São Paulo (Sabesp) water utility company (Brazil) specializing in water transport and wastewater treatment was the victim of a cyberattack as confirmed in an email to CISO Advisor Brazil on October 22. According to the note, the company immediately adopted all security and control measures and implemented its plan to restore the affected systems. No compromise of personal data has been identified. Water supply and sewage collection and treatment operations were not affected by the cyberattack. Sabesp undertook the necessary efforts to regularize the integrity of the entire digital network system. The company reported that waiting times for service may be above average at certain times due to system instability.

According to news published on the website of Sintaema, the São Paulo sanitation worker union, it received a complaint that Sabesp experienced an internet blackout starting October 17. Sintaema’s management explained that since October 17, only the Reservoir Control System was working and other systems could only be accessed by workers online on their cell phones or external networks. Even Poupatempo, a government service that offers 400+ services related to official documents, was at a standstill for five days due to the blackout, which affected all Sabesp units across the country. The RansomHouse ransomware group claimed responsibility for the attack on Sabesp.

Refinadora Costarricense de Petróleo

Energy, utility | Denial of operations and services | Ransomware

Costa Rican energy provider Refinadora Costarricense de Petróleo (RECOPE) confirmed that it was the victim of a ransomware attack on November 27 that forced the organization to switch to manual operations, but assured the public that fuel distribution would not be affected. The company said they were forced to conduct fuel sales manually because of the attack, which took down all digital systems used to facilitate payments. Operations at tanker terminals were extended late into the night on November 27 and expanded on November 28. RECOPE added that it was working with the country’s Ministry of Science, Innovation, Technology and Telecommunications (MICITT) to resolve the situation. On November 29, the President of RECOPE said cybersecurity experts from the U.S. arrived on Thanksgiving Day and were able to help gradually restore certain systems, but said the organization will continue to operate systems manually until it is fully guaranteed that processes are safe. The company saw a spike in fuel sales due to concerns about the potential for gas and oil scarcity. Throughout the weekend, RECOPE extended hours to facilitate the sale of fuel. On November 30, RECOPE reported on the stabilization of service at terminals and guaranteed fuel supply. The company, MICITT, international experts and the DIS (Directorate of Intelligence and Security) continued to work together to address the incident. The RansomHub ransomware group claimed responsibility for the cyberattack against RECOPE.

Electrica Group

Energy, utility | Denial of services | Ransomware

Romanian electricity distributors Electrica Group announced on December 9 that it faced a cyberattack and worked closely with national cybersecurity authorities to manage and resolve the incident. The Group emphasized that its critical systems had not been affected, and any disruptions in interactions with consumers were the result of protective measures for internal infrastructure. All specific response protocols were activated in accordance with internal procedures and current regulations. The Minister of energy told a Romanian news channel that the company was the victim of a ransomware attack that did not impact Electrica’s SCADA systems. ​The Romanian National Cybersecurity Directorate (DNSC) said on December 11 that the Lynx ransomware gang breached Electrica Group. It also said that based on available data, critical power supply systems had not been affected and were operational, and the investigation was ongoing. It provided a YARA rule and indicators of compromise to help other security teams detect signs of compromise on their networks.

A report from the Center for Internet Security (CIS) highlighted the growing threat of ransomware attacks targeting utility organizations, with a particular focus on the activities of the Lynx ransomware group (tracked by Microsoft as Storm-2113), providing its Indicators of Compromise.

Other major incidents of interest

Microlise

Transportation, logistics| Denial of IT systems, denial of services | Ransomware

Microlise, a British telematics and fleet management solution provider, was affected by the cyberattack known to have disrupted DHL’s store deliveries for the retailer NISA. According to NISA’s message, the attack led to the complete wiping of servers dedicated to the tracking system used by DHL. A DHL spokesperson confirmed the incident but said that it did not affect DHL-owned systems. NISA explained that due to the cyberattack, DHL had no visibility of the progress of any of its deliveries. Motor Transport wrote that it was aware of other companies affected by the security breach, but neither they nor other companies relying on Microlise software responded to requests for comment. According to Financial Times, Serco, which handles the transport of prisoners for the Ministry of Justice, has seen vehicle tracking, panic alarms, navigation, and notifications related to estimated arrival times disabled. In a filing with the London Stock Exchange on October 31, Microlise said it had detected unauthorized activity on its networks disrupting a large portion of its services and rendering them inactive. In an updated filing with the London Stock Exchange on November 18, Microlise said it had notified international authorities regarding the exfiltration of corporate data from its HQ and continued to work with law enforcement regarding the incident. The company stressed that no customer systems data was compromised. The SafePay ransomware group claimed responsibility for the attack on Microlise.

Pittsburgh Regional Transit

Transportation | Denial of operations, denial of services, personal data leakage | Ransomware

Pittsburgh Regional Transit investigated a ransomware attack that the company detected on December 19 causing disruptions to public transportation. While rail service experienced temporary disruptions on the morning of December 19, transit services operated normally. Other rider services remained negatively impacted, including PRT’s Customer Service Center, which was temporarily unable to accept or process senior and child ConnectCards. Local news outlets reported that trains were delayed by more than 20 minutes due to the ransomware attack. Pittsburgh Regional Transit’s investigation into the ransomware attack revealed that personal data, including the Social Security Numbers and driver’s license numbers of job applicants and past and current employees may have been compromised. Law enforcement was involved in the response and the investigation began in collaboration with cybersecurity experts.

Two ransomware groups claiming an attack

Nidec

Manufacturing | Data leakage, personal data leakage | Ransomware

Japanese electric motor manufacturer Nidec confirmed that various types of business and internal documents were stolen in an August 2024 ransomware attack. According to the company’s news releases on its website, the incident impacted its Vietnam-based subsidiary Nidek Precision (NPCV) and was discovered after the attackers contacted Nidec to demand a ransom payment. The ransomware attack was limited to NPCV’s network and was not followed by other intrusions. According to the company, the threat actors stole a total of 50,694 files from NPCV, including internal documents related to green procurement, health and safety, policies, and transactions, as well as emails from business partners. Nidec also noted that the intrusion likely occurred after the attackers obtained the user ID and password of an NPCV general domain account and used them to log in to the server and view files the account was authorized to access. In response, Nidec and its subsidiaries conducted a thorough investigation, reviewed server access rights, and changed passwords. NPCV also suspended the use of the VPN application believed to have been used as part of the attack. In September, the NPCV filed a notification with the Department of Cybersecurity and High-Tech Crime Prevention and Control of the Ministry of Public Security of Vietnam in accordance with the Personal Information Protection Act.

Both the 8base and Everest ransomware groups listed the company on their leak sites in June and August, respectively. Nidec’s incident notice suggests that Everest was behind the extortion attempt, as the group leaked data purportedly stolen from the company in early August.

CR&R

Manufacturing, recycling | Personal data leakage | Ransomware

U.S. waste collection and recycling company CR&R Inc. reported to the attorneys general of Maine and Vermont that it had experienced a data breach in which sensitive personal identifiable information in its systems may have been accessed. According to the breach notice, on or about December 13, 2022, a network disruption was experienced that impacted certain systems. CR&R launched an investigation that was completed on October 30, 2024. The company confirmed that sensitive personal information in its systems may have been compromised by an unauthorized third party during the incident on October 19, 2022. As a result, CR&R began a review of the data to determine what information had been impacted and identify the specific individuals affected. CR&R has not publicly disclosed the exact nature of the personal information that may have been exposed. On December 26, 2024, CR&R began mailing data breach notification letters to impacted individuals. Vice Society ransomware group claimed responsibility for the attack on CR&R on November 6, 2022. A month later, in December 2022, BlackCat/ALPHV ransomware group also included CR&R among its victims.

Appendix. Full list of confirmed incidents