A ransomware group has targeted Foxconn, the major electronics manufacturer, claiming to have stolen 8 terabytes of sensitive data. This data reportedly includes schematics and project details related to key clients like Dell, Google, Apple, and Nvidia. Although Foxconn has not issued a statement about the accuracy of these claims, it has acknowledged that some of its North American facilities recently experienced a cyberattack, causing temporary disruptions in production. The affected factories are reported to be returning to normal operations.
Foxconn’s extensive global reach and its crucial role in manufacturing components and devices make it a desirable target for ransomware and data extortion groups. The company not only safeguards its intellectual property but also that of its high-profile customers, including Apple’s iPhones. Industry experts note that organizations within the supply chain, both physical and digital, are increasingly being pursued by ransomware actors for this very reason.
Known as the Nitrogen group, the attackers listed Foxconn on their breach site recently. This group emerged in 2023 and, while not among the most prominent ransomware actors, has demonstrated consistent activity with periodic spikes in operations, including a notable increase at the end of 2024. It has also been linked to the infamous ALPHV/BlackCat ransomware group, highlighting the interconnected nature of cybercriminal organizations.
Foxconn has a history of being targeted by extortion attempts. Notably, in December 2020, the DoppelPaymer group assaulted a Mexican facility, demanding 1,804 Bitcoin, equivalent to approximately $34 million at that time. Another attack came in May 2022 when the LockBit group targeted a different Foxconn facility in Mexico, disrupting production. Recently, in 2024, LockBit attacked one of Foxconn’s subsidiaries, Foxsemicon Integrated Technology, leading to data breach claims.
The Nitrogen group employs tactics of not only extortion through threatened data leaks but also traditional ransomware that encrypts system data. Researchers indicate that the ransomware utilized by the group is based on the widely adapted “Conti 2” code. However, it suffers from a significant design flaw that prevents data decryption, even if the attackers wish to restore access to the affected systems. It remains unclear how this flaw has influenced Foxconn’s response strategy in the current incident.
Ransomware and data extortion present ongoing challenges in digital security, with attackers routinely revisiting previous targets and adopting increasingly aggressive tactics to execute large-scale disruptive attacks. In a recent example, thousands of schools across the United States faced major interruptions as the educational technology firm Instructure suspended access to its Canvas platform following a breach, underscoring the persistent threat posed by cybercriminals.
Given the techniques likely involved in this latest attack, adversaries may have employed tactics from the MITRE ATT&CK framework, such as initial access through phishing or exploitation of vulnerabilities. Techniques like persistence could have been utilized to maintain control over compromised systems, while privilege escalation might have enabled attackers to gain enhanced access to sensitive data. As cybersecurity threats continue to evolve, organizations must remain vigilant and proactive in safeguarding their digital assets.