Global industrial automation company ABB has confirmed it had data stolen in an attack attributed to the Black Basta ransomware group.
The attack is believed to have hit the Swedish-Swiss multinational technology firm’s Windows Active Directory on May 7, disrupting hundreds of devices, and details were first reported a week later.
“ABB has determined that an unauthorized third-party accessed certain ABB systems, deployed a type of ransomware that is not self-propagating, and exfiltrated certain data,” the company’s press release said.
The incident had been successfully contained, and ABB was investigating and assessing the extent of its impact, the company said.
“All of ABB’s key services and systems are up and running, all factories are operating, and the company continues to serve its customers. The company also continues to restore any remaining impacted services and systems and is further enhancing the security of its systems.”
In a notification to customers, posted by cybersecurity researcher Kevin Beaumont, ABB said it had no evidence that its customers’ systems had been directly impacted. In its Q&A document it said there was no evidence that the security of its products had been compromised.
Beaumont said he had independently confirmed the attack was carried out by the Black Basta ransomware group.
“Their biggest victim so far, it’s bigger than Capita,” Beaumont said. “It’s a standard Black Basta playbook attack – all the usual TTPs (tactics, techniques, and procedures). Exfil(tration of data), too.”
U.K. outsourcing firm Capita was the subject of a data leak in March affecting Sheffield-based teachers and client bank account details. Black Basta claimed responsibility for the incident, which was expected to cost Capita up to $25 million.
Since it was first observed in April 2022, Black Basta has also attacked several other organizations including the American Dental Association, Sobeys, Knauf, and Yellow Pages Canada.
In the ABB attack, Beaumont said Black Basta was able to gain initial entry into the company’s systems using malicious weblink techniques such as SEO poisoning and fake browser updates to install Qakbot trojan malware – a tactic the threat group been known to use frequently.
Beaumont claimed ABB had paid a ransom following the attack. The company has not commented on that claim but said it was cooperating with authorities and third parties, and given the ongoing investigation, could only provide limited details of the attack at present.
“A limited number of our servers and endpoints were directly affected by the malware,” it said in its Q&A document.
“It is our understanding that the malware does not spread through emails or attachments and does not automatically self-propagate to other systems across a network.”
ABB said the malware was human-operated ransomware, requiring the intervention of a person to push it to the target systems.