Skip to main content
close search
site logo

Johnson Controls hit by ‘severe’ cyberattack

The manufacturer of industrial control systems, security systems and HVAC equipment, said it’s still assessing what information was impacted.

Published Sept. 28, 2023
Matt Kapko's headshot
Senior Reporter
Johnson Controls logo above a production plant in Hanover, Germany.
Johnson Controls provides and manages energy efficiency systems for facilities around the globe. Sean Gallup via Getty Images

Johnson Controls International is responding to a cybersecurity incident that disrupted some of its internal IT infrastructure and applications, the company said Wednesday in a filing with the Securities and Exchange Commission. While Johnson Controls did not describe the nature of the incident, security experts are blaming a ransomware attack.

The company, founded in Milwaukee but headquartered in Cork, Ireland, manufactures industrial control systems, security systems and HVAC equipment, said it’s working to mitigate the impact of the cyberattack as it assesses what information was impacted.

Many of the company’s applications remain operational and workarounds are in place where possible, the company said.

“The incident has caused, and is expected to continue to cause, disruption to parts of the company’s business operations,” Johnson Controls said in the SEC filing.

A threat actor encrypted many company devices, including VMware ESXi servers, Bleeping Computer reported.

Cybersecurity experts present a more serious view of the attack as the company investigates the matter with incident response firms and coordinates with its insurers.

“The damage does seem to be pretty severe,” Allan Liska, threat intelligence analyst at Recorded Future, said via email. “Given that the ransomware groups managed to disrupt ESXi and Linux systems, as well as Windows systems, within Johnson Controls this is not surprising. It also would indicate that the group had extensive and unfettered access to the entire network.”

The impact appears to be limited to Johnson Controls, and not its customers’ environments, which suggests the ransomware hasn’t spread, according to Liska.

“However, we still don't know what was in the data stolen by the ransomware group,” Liska said.

Johnson Controls employs almost 100,000 people across subsidiaries including ADT, Tyco, York, SimplexGrinnell and Ruskin.

“Johnson Controls is widely used in many critical infrastructures and this attack will systemically impact sectors from transportation to energy to defense,” Tom Kellermann, SVP of cyber strategy at Contrast Security, said via email.

“This is a significant destructive attack which will be felt for months. I am concerned about the impending second stage of this attack, especially if the miscreants use Johnson Controls infrastructure to launch subsequent destructive attacks,” Kellermann said.

Cybersecurity Dive reached out to Johnson Controls for comment and a spokesperson pointed back to the SEC filing.

“The company’s investigations and remediation efforts are ongoing,” Johnson Controls said in the filing. “The company is assessing whether the incident will impact its ability to timely release its fourth quarter and full fiscal year results, as well as the impact to its financial results.”

Filed Under: Cyberattacks

Editors' picks

Company Announcements

View all | Post a press release
Traceable Releases 2025 State of API Security Report: API Breaches Persist as Fraud, Bot Attac…
From Traceable AI
October 30, 2024
CUSO Financial Services, LP Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Editors' picks
Latest in Cyberattacks
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell