A September cyberattack against Johnson Controls International remains under investigation, but concerns linger about potential downstream impacts that may hit the company’s customers.
The company, which was founded in Milwaukee but now headquartered in Ireland, does extensive business with U.S. federal agencies and the defense industrial base sector and first disclosed the incident in a Sept. 27 filing with the Securities and Exchange Commission. Concerns escalated days later.
Johnson Controls, which manufactures industrial control systems, physical security alarm systems and facility-related technology and infrastructure, is responding to what security experts described as a ransomware attack that disrupted some internal IT infrastructure and applications.
The company declined to share new details about the incident or its ongoing investigation and referred back to its SEC filing.
Senior officials in the Department of Homeland Security, which has contracts with Johnson Controls, were trying to determine if the attack compromised sensitive physical security information, including agency building floor plans, CNN reported Friday.
“We are assessing the potential impacts of this incident and implementing additional safeguards to our layered security model,” a DHS spokesperson told Cybersecurity Dive. “This was not a breach of any DHS network or system.”
The Cybersecurity and Infrastructure Security Agency is “coordinating closely with Johnson Controls to understand impacts from this incident and provide assistance as necessary,” a spokesperson said.
Downstream concerns
The potential downstream impacts on some of the nation’s most critical infrastructure underscores a larger issue with government contractors’ security standards, according to Gary Barlet, federal field CTO at Illumio.
“While the government continues to talk about having government contractors meet minimum security standards, there will be little incentive for vendors to invest in the needed security until there are penalties levied against vendors who fail to do so,” Barlet said via email. “Accountability is key, and everyone needs to start taking this seriously.”
A company of Johnson Controls’ “size, scale and deep penetration into the defense industrial base sector might be expected to have the resources to successfully defend against this kind of attack,” CyberSheath CEO Eric Noonan said via email.
“One way or another, this ties back to the need to enforce minimum cybersecurity standards across the Department of Defense's global supply chain,” Noonan said. “These mandatory minimum cybersecurity requirements exist in well over one million DoD contracts but what's missing is an enforcement mechanism.”
Seeking attribution
Johnson Controls hasn’t named the threat actor behind the attack, but code shared on social media by Gameel Ali, a threat researcher at Nextron Systems, contains a ransom note that attributes the attack to a group called Dark Angels.
The ransomware group, which first emerged in May 2022, is known to create ransomware variants from leaked or existing code and previously targeted organizations in healthcare, government, finance and education, according to SentinelOne researchers.
“The ransom note also contains an onion link to the Dunghill Leaks site, which is associated with Dark Angels,” Alex Delamotte, senior threat researcher at SentinelOne, said via email. “At this time, Dunghill Leaks does not show data attributed to Johnson Controls.”