Johnson Controls International is responding to a cybersecurity incident that disrupted some of its internal IT infrastructure and applications, the company said Wednesday in a filing with the U.S. Securities and Exchange Commission. While Johnson Controls did not describe the nature of the incidents, security experts are blaming a ransomware attack.
The company, founded in Milwaukee but headquartered in Cork, Ireland, said it is working to mitigate the impact of the cyberattack as it assesses what information was impacted.
Many of the company’s applications remain operational and workarounds are in place where possible, the company said.
“The incident has caused, and is expected to continue to cause, disruption to parts of the company’s business operations,” Johnson Controls said in the SEC filing.
A threat actor encrypted many company devices, including VMware ESXi servers, Bleeping Computer reported.
Cybersecurity experts present a more serious view of the attack as the company investigates the matter with incident response firms and coordinates with its insurers.
“The damage does seem to be pretty severe,” Allan Liska, threat intelligence analyst at Recorded Future, said via email. “Given that the ransomware groups managed to disrupt ESXi and Linux systems, as well as Windows systems, within Johnson Controls this is not surprising. It also would indicate that the group had extensive and unfettered access to the entire network.”
The impact appears to be limited to Johnson Controls, and not its customers’ environments, which suggests the ransomware hasn’t spread, according to Liska.
“However, we still don't know what was in the data stolen by the ransomware group,” Liska said.
Johnson Controls, which manufactures industrial control systems, security systems and HVAC equipment. employs almost 100,000 people across subsidiaries including ADT, Tyco, York, SimplexGrinnell and Ruskin.
“Johnson Controls is widely used in many critical infrastructures and this attack will systemically impact sectors from transportation to energy to defense,” Tom Kellermann, SVP of cyber strategy at Contrast Security, said via email.
“This is a significant destructive attack which will be felt for months. I am concerned about the impending second stage of this attack, especially if the miscreants use Johnson Controls infrastructure to launch subsequent destructive attacks,” Kellermann said.
Cybersecurity Dive reached out to Johnson Controls for comment and a spokesperson pointed back to the SEC filing.
“The company’s investigations and remediation efforts are ongoing,” Johnson Controls said in the filing. “The company is assessing whether the incident will impact its ability to timely release its fourth quarter and full fiscal year results, as well as the impact to its financial results.”