Skilled hackers from Southeast Asia targeted the industrial solutions and European steel business divisions of ThyssenKrupp, exfiltrating an unknown quantity of intellectual property.
Skilled hackers from Southeast Asia targeted the industrial solutions and European steel business divisions of ThyssenKrupp, exfiltrating an unknown quantity of intellectual property.

Professional hackers infiltrated the systems of Germany-based industrial conglomerate ThyssenKrupp earlier this year, stealing fragments of data related to intellectual property, research and secrets, the $46 billion corporation publicly acknowledged on Thursday.

According to a corporate statement, ThyssenKrupp caught the intrusion early, allowing its cyber responders to continuously study and analyze the threat while the company revised its systems and bolstered security. ThyssenKrupp employs its own CERT (Computer Emergency Response Team) division, which instead of immediately casting out the threat group decided to closely monitor its activity. During the course of this investigation, the company discovered that the attackers originated from Southeast Asia.

“The choice of observing the attackers instead of shutting them out is a very bold one, but it could bring good results,” said Giovanni Vigna, co-founder and CTO at advanced malware protection firm Lastline, in an email interview with SC Media. “It could be possible to better understand how the attackers gained access to the system; [learn] what their tools, tactics, and techniques are; and even determine their motivation. These things are difficult to determine without the ability to observe and even 'bait' a live attacker."

With the exception of "certain project data in an operative engineering company," the company said it has not yet identified the exact content stolen, nor can it provide a reliable estimate of the financial damage inflected by the attackers. But it does know that the perpetrators targeted its industrial solutions business area and its European steel operations.

With 19,000 employees, the industrial solutions division delivers technologies that aid in the engineering, construction and service of industrial plants across a wide variety of sectors. It also supplies systems for naval submarines and surface vessels, and serves the automotive, aerospace and battery industries. ThyssenKrupp's European and American steel business units, meanwhile, together comprise one of the world's leading suppliers of carbon steel products, producing 13 million tons of crude steel while employing roughly 27,000 employees.

Multiple reports state that the breach first occurred in February and was subsequently discovered in April. In its statement, ThyssenKrupp assured the public that there was no impact on specially secured IT systems intended for critical infrastructure and operations, including marine systems and the IT control systems for blast furnaces and power plants. Moreover, the company said that there were “no signs of sabotage and no signs of manipulation of data and applications."

ThyssenKrupp blames neither security deficiencies nor employee error for the intrusion, as the systems compromise was perpetrated by professional, sophisticated hackers. The company did not specify which Southeast Asian nation was the source of the attack, but experts can look to historical precedent for suspects. For instance, in February 2013, German news outlet Der Spiegel reported that a previous attempt to hack into ThyssenKrupp's network was linked to Internet addresses in China.

“This outlines a virtually textbook attack [on] sensitive data. I would speculate that the attack originated in China, with steel production and cheap export prices being topical in the UK and [the] U.S.,” said Mark Wilson, director of product management at data security and access management company STEALTHbits Technologies, in comments exclusively provided to SC Media.

“Circumstantially, China would logically rank among the top suspects to investigate,” agreed Lastline's Vigna, noting that “the quality of current Chinese-supplied steel has been called into question in a public light," while in comparison ThyssenKrupp's steel and industrial solution divisions “are considered tops in quality.” Still, attribution is difficult to pin down at this early stage, he cautioned.

"It appears that attackers based in Asia have put the steelmaker in their sights again... and were successful, said Richard Henderson, global security strategist at endpoint security and data risk management company Absolute Software, in emailed comments. "There are many countries out there that are willing to do whatever it takes to leapfrog their technological evolution and join Western nations in learning advanced manufacturing techniques." 

ThyssenKrupp noted that all of its business divisions' CIOs were involved in the corporate investigation. The company informed national and regional cyber authorities of the incident, and has also filed charges. 

With operations in 80 countries, ThyssenKrupp also specializes in high-tech components technology for the auto and machinery sectors, elevator technology, and raw materials distribution and services.

According to Vigna, the various business divisions that exist within large, multifaceted companies are not always aligned in terms of technology or process, resulting in weak spots that are prone to attack.

"Hackers often target large conglomerates because they might have divisions with different levels of security, mostly because of the acquisition of new companies that are merged into the existing IT system," Vigna explained. "These new companies might have lower standards in terms of security, or might not have yet caught up with the mandated security processes, and, therefore, represent an opportunity to access the overall enterprise network."