Johnson Controls International is responding to a cybersecurity incident that disrupted some of its internal IT infrastructure and applications, the company has said in a filing with the Securities and Exchange Commission. While Johnson Controls did not describe the nature of the incidents, security experts are blaming a ransomware attack.
The company, founded in Milwaukee but headquartered in Cork, Ireland, manufactures industrial control systems, security systems and HVAC equipment, said it’s working to mitigate the impact of the cyberattack as it assesses what information was impacted.
Many of the company’s applications remain operational and workarounds are in place where possible, the company said. “The incident has caused, and is expected to continue to cause, disruption to parts of the company’s business operations,” Johnson Controls said in the SEC filing. A threat actor encrypted many company devices, including VMware ESXi servers, Bleeping Computer reported.
Cybersecurity experts present a more serious view of the attack as the company investigates the matter with incident response firms and coordinates with its insurers.
“The damage does seem to be pretty severe,” Allan Liska, threat intelligence analyst at Recorded Future, said via email. “Given that the ransomware groups managed to disrupt ESXi and Linux systems, as well as Windows systems, within Johnson Controls this is not surprising. It also would indicate that the group had extensive and unfettered access to the entire network.”
The impact appears to be limited to Johnson Controls, and not its customers’ environments, which suggests the ransomware hasn’t spread, according to Liska. “However, we still don’t know what was in the data stolen by the ransomware group,” Liska said. Johnson Controls employs almost 100,000 people across subsidiaries including ADT, Tyco, York, SimplexGrinnell and Ruskin.
