Takeaways from the Johnson Controls Hack

What we can learn from one of the industry's largest data thefts.


Last September, Johnson Controls, a global manufacturer of facility and industrial control and security products, was the victim of a ransomware attack perpetuated by a hacker group known as the Dark Angels. The group apparently entered the company’s network through a vulnerability in Johnson Control’s billing system, and eventually wormed their way through and shut down several key sections of the company’s IT infrastructure.

The attack forced Johnson Controls to shut down several key customer-facing and cash flow management systems. Dark Angels is said to have stolen and encrypted over 27 TB of data, and demanded a $51 million payment in exchange for deleting the stolen files and providing an encryption key. 

No proof of payment exists, but a quarterly SEC filing shows that the company is claiming $27 million in expenses related to response and recovery from the incident. Additionally, the company reported $4 million in lost and deferred revenues from the attack, and has stated that a significant portion of costs associated with the incident will be covered by insurance. 

The SEC filing also saw Johnson Controls state that, “The company expects to incur additional expenses associated with the response to, and remediation of, the incident throughout fiscal 2024, most of which the company expects to incur in the first half of the year. 

“These expenses include third-party expenditures, including IT recovery and forensic experts and others performing professional services to investigate and remediate the incident, as well as incremental operating expenses incurred from the resulting disruption to the company’s business operations.” 

The company has also expressed that, although lingering effects of the attack lasted until the first quarter of 2024, it is confident that the attack has been contained and all data and system functionality has returned to normal 

I recently sat down with Fergal Lyons, Cybersecurity Evangelist at Centripetal to discuss the hack further. 

Jeff Reinke, editorial director: Ransomware continues to skyrocket in terms of frequency, payouts, etc. What do you feel are some of the defensive steps that companies continue to miss in allowing these attacks to proliferate? 

Fergal Lyons, Centripetal: Recent reports indicate a staggering $1.1 billion paid out in ransomware demands last year, marking a new peak in a concerning trend that shows no signs of abating. While the necessary steps to counter these threats are evident, both companies and individuals often fall prey to errors, inadvertently lowering their defenses. 

Furthermore, there's been a notable emphasis on detection and response rather than prevention and protection. However, if an organization is solely focused on detecting threats within their network, rather than preventing them, it may already be too late. 

To effectively thwart attacks, organizations must proactively intercept them at the point of ingress, relying on detection and response technologies primarily for isolated and uncommon scenarios.

A robust patching program is indispensable for defense, as is fostering cyber awareness throughout the entire organization. Additionally, leveraging cutting-edge threat intelligence to bolster perimeter security solutions offers robust protection against evolving threats. 

JR: We know the attackers asked for $51M – do we know if any payments were made? What is your advice about responding to the demands of hackers in a ransomware situation? Do you pay? 

FL: We don't have that visibility on whether they paid the ransom or not. But we do know that many organizations feel they have no choice but to pay. 

The general recommendation from law enforcement and from the industry at large is, of course, not to pay ransom demands. One of the reasons being that if you do pay, there is still no guarantee that you will be successful in getting your data decrypted. 

Additionally, with double extortion, the data itself may be kept and exposed at any point in the future. There simply are no guarantees. However, we can certainly sympathize with companies making the decision to pay in order to stop their business from collapsing. 

The advice is don’t get into that situation in the first place. Reduce your attack surface by eliminating reconnaissance traffic from the network, which will essentially hide your infrastructure from the hackers. 

Use threat intelligence and active shielding to block users from going to malicious sites which tend to be the primary source of ransomware. Finally, be vigilant; leveraging cyber monitoring services using trained experts will put you in a much better position to identify security gaps, and complex threats that could jeopardize your business. 

JR: What do you think are the biggest lessons learned from the Johnson Controls attack? 

FL: The bravado and audacity of the hackers is quite shocking as can be seen from the message below.

Dark Angels Ransom Note

These hackers are highly organized, well-motivated and fearless. Johnson Controls were not the first and definitely won't be the last. 

And therein lies an important lesson.  

Information exists about the activities and infrastructure used by these hackers. Threat intelligence vendors collect and distribute this information on a daily basis. If companies had access to the appropriate threat intelligence and had a mechanism to automatically shield based on that data, they could likely have prevented the breach from occurring. 

The tools exist, but it does require a change of mindset and an understanding of how to best leverage the threat intelligence that exists. 

Additionally, Johnson Controls will likely be reviewing their own processes and defenses. But it is important to remember that cybersecurity is everyone's job. We all need to be aware of the risks of clicking on any link whether in email or on a website. And this applies even more when you take your device home or on the road where protections are less stringent.  

Awareness and general cyber hygiene are key. 

JR: What do you feel might be some of the most important trends impacting cybersecurity in the near future? 

FL: Much discussion surrounds the role of Artificial Intelligence in shaping cyber defense strategies. In the hands of malicious actors, AI holds the potential to generate intricate and compelling attack vectors, with attacks becoming increasingly automated. However, AI also serves as a valuable asset in defending against such threats, particularly when integrated with top-tier threat intelligence. 

Moreover, the sheer volume of reported vulnerabilities, exceeding 3,000 each month, underscores the fragility of our global software infrastructure. These vulnerabilities often expose immediate security weaknesses, becoming prime targets for exploitation. Organizations face a relentless stream of attack traffic, comprising reconnaissance activities and targeted assaults.

While most organizations have established vulnerability management and patching protocols, a significant gap exists between vulnerability identification and patch implementation. This window poses a substantial risk, which should encourage organizations to adopt comprehensive measures to prevent breaches. 

With the uptick in reconnaissance activities, threat actors can swiftly pinpoint vulnerable systems and orchestrate penetrative attacks. Implementing additional layers of ‘defense in depth’ can help alleviate the risks posed by the deluge of vulnerabilities and hacking endeavors.

More in Cybersecurity