A brief overview of the main incidents in industrial cybersecurity. Q2 2025

Related tags

automotive

construction

data leakage

denial of IT services

denial of operations

denial of service

electronics industry

energy sector

food & beverage

logistics

manufacturing

metallurgy

mining

personal data leakage

ransomware

textile

transportation

utilities

In Q2 2025, 135 incidents were publicly confirmed by victims. All of these incidents are included in the table at the end of the overview, with select incidents described in detail.

Incidents at large organizations

Samsung Germany

Manufacturing, electronics | Personal data leakage

According to the cybercrime intelligence firm Hudson Rock, a threat actor, going by the pseudonym GHNA published approximately 270,000 customer records allegedly stolen from Samsung Germany’s ticketing system. GHNA apparently gained access to Samsung’s system using stolen credentials from a Spectos account used for monitoring and service quality improvements. The credentials were compromised in 2021, when an employee’s computer was infected with the Raccoon Infostealer. Hudson Rock identified personally identifiable information such as names, addresses, email addresses, as well as transaction information, order numbers, tracking URLs, support interactions, and communication between customers and Samsung.

On April 1, Samsung provided Heise and CSO with a brief statement saying that an incident involving unauthorized access to customer data had occurred on an IT system belonging to one of Samsung’s business partners in Germany. Samsung said it took the security of its customers’ data very seriously and was investigating the extent of the incident.

On April 7, the Spectos service provider released a statement. According to the statement, a cloud server belonging to Spectos was compromised by a targeted cyberattack on March 29. The attackers exploited a vulnerability in a secondary server to gain unauthorized access to data storage within the cloud infrastructure. Personal data from two customers was collected and published on the dark web. Additional activity by the attacker was detected on April 2. This resulted in the immediate shutdown of the affected servers and the hiring of the external cybersecurity service provider G DATA to conduct a forensic investigation. Spectos informed all the relevant authorities in accordance with applicable legal regulations.

Attacks leading to insolvency

Eu-Rec

Utilities, waste management | Denial of operations, personal data leakage, insolvency | Ransomware

German disposal company Eu-Rec learned on April 7 that it had fallen victim to a cyberattack despite extensive security measures. It couldn’t be ruled out that unauthorized third parties had gained access to personal data during the attack. The personal data of an estimated 200 private customers and business contacts was exposed. According to the Mercur news portal, the cyberattack forced Eu-Rec GmbH to file for insolvency with the Trier District Court. The report stated that the company was already in a strained financial situation due to rising energy prices and fluctuating orders. The cyberattack exacerbated the situation by causing significant disruption to operations. Despite the insolvency, Eu-Rec GmbH’s business operations will continue in full. Employees’ wages were secured through insolvency benefits. The Safepay ransomware group claimed responsibility for the attack.

Fasana

Manufacturing | Denial of operations, insolvency | Ransomware

In May, a cyberattack disrupted operations at German paper napkin manufacturer Fasana, leaving the company facing insolvency. According to a report in the Kölner Stadtanzeiger newspaper, on May 19, all systems, including PCs and laptops, were paralyzed, and all the printers began printing ransom notes. One employee stated that orders worth more than 250,000 euros could not be fulfilled on May 20, and no significant revenue was generated over the following two weeks. Employees did not receive their May salaries on time. The insolvency administrator noted that the company couldn’t even print a delivery note and that business operations were completely paralyzed. Approximately 190 laptops and PCs were collected, scanned, and had all programs reinstalled. IT specialists were called in to enable communication and get production up and running as quickly as possible. Three weeks after the attack, the full range of programs was apparently still unavailable. For instance, it was reported that customer service was using only one computer.

According to a report by WDR, Fasana suffered a ransomware attack by a group known to the police. The malware spread rapidly, locking computers and encrypting files. No publicly tracked ransomware gang claimed responsibility for the attack.

Attack with cyber-physical effect

Lake Risevatnet dam

Utilities, water supply | Denial of operations

According to the Norwegian energy news agency Energiteknikk, unknown attackers hacked a Norwegian dam and remotely opened its water valve to full capacity in April. The incident affected the Lake Risevatnet dam in the municipality of Bremanger in Western Norway. The valve operated at full capacity for four hours before the unauthorized intervention was detected and contained. Fortunately, the attack resulted in minimal damage, as the volume of water only slightly exceeded the minimum water flow requirement. The water level exceeded the minimum norm by 497 liters per second, while local authorities said the riverbed could withstand up to 20,000 liters per second. An investigation found that the hack was possible due to a weak password for the valve’s web control panel. This is considered a common problem for many industrial control systems. However, it was unclear whether the valve was intentionally turned on at full power.

On April 10, the dam operator notified the National Security Authority, which shared the information with the dam safety unit of the Norwegian Directorate of Water Resources and Energy. A document seen by journalists noted that the attack originated in Russia, though the Directorate did not confirm this.

Attacks leading to denial of operations

Sensata Technologies Holding

Manufacturing | Denial of operations and services, data leakage | Ransomware

Sensata Technologies Holding, a US global industrial technology company that makes mission-critical sensors, electrical protection components, and sensor-rich solutions, experienced a ransomware incident on April 6 that encrypted certain devices in its network. According to a Form 8-K filed with the US Securities and Exchange Commission (SEC), the incident temporarily impacted Sensata Technologies’ operations, including shipping, receiving, manufacturing, production and various other support functions. The company implemented interim measures to restore certain functions, but the timeline for a full recovery was not known. A preliminary investigation identified evidence that files were taken from the company’s environment. Sensata Technologies worked to identify and review the files involved.

Upon discovery of the incident, Sensata Technologies immediately activated its response protocols and implemented containment measures, including proactively taking its network offline. The company also launched an investigation with the assistance of third-party cybersecurity professionals. In coordination with legal counsel, Sensata Technologies notified law enforcement of the matter and supported its investigation. As of the date of the Form 8-K, Sensata Technologies did not expect the incident to materially impact the company’s financial results and operations for the three months ending June 30, 2025. However, the full scope and impact of the incident was still unknown and it could be determined in the future that the incident was material to the company’s financial statements and results of operations.

Kintetsu World Express

Transportation, logistics | Denial of operations and services | Ransomware

Kintetsu World Express, a Japanese logistics provider that offers air and sea cargo services globally, confirmed that it had fallen victim to a ransomware attack that disrupted some of its systems. Kintetsu World Express first reported service disruptions affecting certain customers on April 23, when the attack was first discovered. No additional details were provided at that time.

In a statement issued on April 28, the company announced that an investigation had determined the cause of the failure to be unauthorized access to the system by a third party through ransomware. Some operations continued to be affected. Kintetsu World Express established an Emergency Response Headquarters to conduct investigations, including a forensic investigation, to identify the scope of the incident’s impact and its cause. The investigations were conducted in coordination with external professionals. The company also consulted with and reported to the Japanese police regarding the incident. In a statement issued on April 30, the company said it was in the process of restoring the affected systems. Most systems remained fully functional, enabling the company to support customers with minimal disruption.

Optimax Technology Corporation

Manufacturing | Denial of operations | Ransomware

According to a bulletin from the Taiwan Stock Exchange portal published on April 7, the information systems of Taiwanese polarizer manufacturer Optimax Technology Corporation were attacked by hackers. Once the cyberattack was detected, the company immediately activated relevant defense mechanisms to minimize the cybersecurity risks. There was no evidence of personal data or internal document leaks, and there was no significant impact on the company’s operations. The company continued to enhance the security controls of its network and information infrastructure, while closely monitoring them to ensure information security. In April, the Qilin ransomware group and another actor named Devman claimed responsibility for the attack on Optimax Technology Corporation.

Excellence Optoelectronics

Manufacturing, electronics | Denial of IT systems and operations | Ransomware

According to a bulletin from the Taiwan Stock Exchange portal published on June 5, Taiwanese LED lamp and component manufacturer Excellence Optoelectronics suffered a cyberattack targeting its intranet and information systems. The company immediately activated relevant defense mechanisms to avoid any impact on information security and global operations. There was no significant impact on the company’s operations. The company said it would continue to closely monitor and strengthen its information security measures.

Holz Ruser

Manufacturing | Denial of operations

German wood processing company Holz Ruser suffered a cyberattack on April 17, according to a local news outlet. The owner and managing director said at the time that the full extent of the damage could not be assessed until April 23 due to the holidays. The malware reportedly spread to the entire IT system and paralyzed business operations. No further information was available at the time of the announcement.

Masimo Corporation

Manufacturing | Denial of operations and services

According to a Form 8-K filing with the US Securities and Exchange Commission, US medical equipment manufacturer Masimo Corporation identified unauthorized activity on its on-premises network on April 27. Upon detection, the company activated its incident response protocols and implemented containment measures, including the proactive isolation of affected systems. Masimo Corporation promptly commenced an investigation with the help of third-party cybersecurity professionals to assess, mitigate, and remediate the incident. The company also notified and coordinated with law enforcement. As a result of the incident, some of the company’s manufacturing facilities operated below normal levels, and the company’s ability to process, fulfill, and ship customer orders in a timely manner was temporarily impacted. The company worked diligently to restore normal business operations, bring the affected portions of its network back online, and mitigate the impact of the incident. The full scope, nature, and impact of the incident were unknown. The company believed the incident did not affect its cloud-based systems and appeared to be unrelated to them.

Nucor Corporation

Manufacturing, metallurgy | Denial of IT systems and operations, data leakage

The US steel company Nucor Corporation identified a computer security breach involving unauthorized access to certain information technology systems. According to a Form 8-K filing with the US Securities and Exchange Commission on May 14, the company took steps to contain and respond to the incident. These steps included implementing its incident response plan and notifying federal law enforcement authorities. Production operations were temporarily suspended at some plants, but were later restarted. In a subsequent filing with the US Securities and Exchange Commission, Nucor Corporation confirmed that the attackers also stole data from compromised systems. The company said it had restored access to systems impacted by the breach, and believed the threat actor no longer had access to its IT systems. According to Nucor Corporation, the cybersecurity incident did not have a material impact, nor was it reasonably likely to have, a material impact on the company’s business operations.

Breton

Manufacturing | Denial of IT systems and operations

On May 1, Breton, an Italian company that produces machines and plants for engineered stone and metalworking, suffered a cyberattack. According to a post on its website, the attack affected the IT infrastructure at the company’s headquarters, temporarily compromising some operating systems. Thanks to its prepared and tested computer emergency response plan, the company environment was completely secured, and operations were quickly restored.

Arla Foods

Manufacturing, food and beverage | Denial of IT systems and operations

Arla Foods, a Danish dairy company with operations in Germany, was affected by a cybersecurity incident. The company identified suspicious activity at its Upahl dairy site that impacted the local IT network. Production was temporarily affected as a result of the safety measures initiated in response to the incident. Production and IT experts worked diligently to resume normal operations at the site, with the company systematically restarting systems to ensure a return to full functionality. Arla Foods informed affected customers of possible delivery delays and cancellations. BleepingComputer asked the company if the attack involved data theft or encryption, but Arla declined to share any additional information.

Wellteam

Manufacturing | Denial of operations and services

According to a local media report, German packaging manufacturer Wellteam fell victim to a cyberattack that impacted nearly every operational process, halting machinery and transportation. The attack rendered machines inoperable and prompted the company to send employees home. Wellteam reportedly became aware of the attack on May 23. Initially, internal communications were affected. Despite the implementation of extensive protective measures in accordance with internal emergency procedures, serious disruptions ultimately occurred. Production was severely disrupted. Wellteam declined to disclose further details about the attack. The company stated that because they reacted quickly, no data – neither employee nor customer – was leaked.

Siloking

Manufacturing | Denial of IT systems and operations | Ransomware

On June 15, German agricultural machinery manufacturer Siloking was hit by a cyberattack that caused operational disruptions. In response to a request, the company stated in a press release that ransomware had encrypted systems. Production continued in emergency mode. After the cyberattack was discovered, the authorities and the State Criminal Police Office were immediately notified. The network and all the company computers were reinstalled. In June, the Qilin ransomware group claimed responsibility for the attack on Siloking.

Estes Forwarding Worldwide

Transportation, logistics | Denial of operations | Ransomware

On June 25, US logistics company Estes Forwarding Worldwide told FreightWaves that it had been hit by a cyberattack on May 28. Estes Forwarding Worldwide said it had notified employees and customers of the attack. The company assured that there was no significant disruption to its business. Thanks to robust cybersecurity protocols, system redundancies, and the swift response of the IT team and third-party security experts, the company was fully operational within hours. Estes Forwarding Worldwide expressed gratitude for the support of its parent company, Estes Express Lines, throughout the incident. Neither Estes LTL nor Estes Logistics were impacted by the attack. EFW said it would enhance its security measures. In June, the Qilin ransomware group claimed responsibility for the attack on Estes Forwarding Worldwide.

United Natural Foods

Transportation, logistics | Denial of services and operations

US grocery supplier and distributor United Natural Foods filed a Form 8-K with the US Securities and Exchange Commission, disclosing that unauthorized access to their system was discovered on June 5. The company promptly activated its incident response plan, implementing containment measures that included proactively taking certain systems offline. These measures temporarily impacted the company’s ability to fulfill and distribute customer orders. The incident caused disruptions to business operations that were expected to continue. With the help of third-party cybersecurity professionals, United Natural Foods worked actively to assess, mitigate, and remediate the incident and notified law enforcement. According to its business continuity plans, United Natural Foods implemented workarounds to continue servicing its customers where possible. The company continued working to restore its systems and bring them safely back online.

Appendix. Full list of confirmed incidents