On September 27, Johnson Controls, a manufacturing company that produces security systems, control systems, and other industrial infrastructure technology, announced in a report to the United States Security and Exchange Commission that it had been hit by a cyberattack.

What happened

According to an article recently published by Cybersecurity Dive, a ransomware attacker encrypted several of Johnson Controls’ IT devices, limiting access to servers and “disrupt[ing]… business operations.” In their report to the Security Commission, Johnson Controls security team members say they are doing everything they can to continue running operations as usual:

“To date, many of the Company’s applications are largely unaffected and remain operational. To the extent possible, and in line with its business continuity plans, the Company implemented workarounds for certain operations to mitigate disruptions and continue servicing its customers.”

Possible suspects

Although Johnson Controls has declined to state the party responsible for the incident, an independent threat researcher posted on X what he claims is code from the attack, which contains a ransom note from a group dubbed the Dark Angels. Since the group began launching attacks in May of 2022, it has breached the security systems of various “healthcare, government, finance and education” organizations, encrypting confidential data and threatening to leak it online. So far, no evidence shows that Johnson Controls’ data has met with such a fate.

Ripples and response

Due to the complex design of Johnson Controls’ industrial infrastructure technology, there is a possibility that the attack could significantly effect its customers – some of which are government agencies. Tom Kellerman, the Senior VP of cyber strategy at Contrast Security, recently stated:

“Johnson Controls is widely used in many critical infrastructures and this attack will systemically impact sectors from transportation to energy to defense.”

In response to the scale of this attack, experts declare that it is more vital than ever for governments to erect concrete defenses against cyber attackers, and to hold government contractors accountable when it comes to meeting minimum cybersecurity standards.