Alarm and building automation system giant Johnson Controls might have “compromised sensitive physical security information such as DHS floor plans,” according to a CNN report that says the government contractor was the victim of a recent cybersecurity attack likely involving ransomware.
Senior Department of Homeland Security officials “are working to determine” the extent of the breach, according to internal DHS correspondence reviewed by CNN reporters Priscilla Alvarez and Sean Lyngaas.
The looming potential government shutdown – which could start Sunday morning if Congress can’t strike a last-minute deal – makes it “especially time sensitive” to determine which DHS offices might be affected by the attack, the memo said.
“Until further notice, we should assume that [the contractor] stores DHS floor plans and security information tied to contracts on their servers,” the memo said, according to the CNN report, which added it’s “unclear if the cybercriminal hackers accessed that information.”
“We do not currently know the full extent of the impact on DHS systems or facilities,” the internal DHS memo says, according to the CNN report.
The Biden administration has tried to tighten cybersecurity for government contractors by compelling them to meet a minimum set of security standards, the CNN report says. It’s unclear if the hackers in the Johnson Controls case demanded a ransom to return the information to them, according to the report.
Inside the Johnson Controls Cyberattack
The cyberattack hit Johnson Controls in the last week, causing disruptions to internal IT systems and knocking some of the company’s subsidiary websites offline, CNN reports. It’s “expected to continue to cause disruptions to some of Johnson Controls’ business operations,” according to a company filing with the U.S. Securities and Exchange Commission on Wednesday.
Johnson Controls has hired “external cybersecurity experts” to recover from the “cybersecurity incident,” and is in touch with its insurers, the SEC filing says, according to the company’s SEC filing. Company spokesman Trent Perrotto declined to comment when CNN asked what DHS data the company stores and whether sensitive physical security information was compromised in the cyberattack.
In the filing, Johnson Controls says: “(The company) has experienced disruptions in portions of its internal information technology infrastructure and applications resulting from a cybersecurity incident. Promptly after detecting the issue, the Company began an investigation with assistance from leading external cybersecurity experts and is also coordinating with its insurers. The Company continues to assess what information was impacted and is executing its incident management and protection plan, including implementing remediation measures to mitigate the impact of the incident, and will continue taking additional steps as appropriate. To date, many of the Company’s applications are largely unaffected and remain operational. To the extent possible, and in line with its business continuity plans, the Company implemented workarounds for certain operations to mitigate disruptions and continue servicing its customers. However, the incident has caused, and is expected to continue to cause, disruption to parts of the Company’s business operations. The Company is assessing whether the incident will impact its ability to timely release its fourth quarter and full fiscal year results, as well as the impact to its financial results.”
Efforts by CE Pro sister publication Security Sales & Integration to reach Johnson Controls officials for more information about the cyberattack were unsuccessful.
CNN could not independently confirm which cybercriminal group was responsible for the breach of Johnson Controls, but IT media publication Bleeping Computer, citing unnamed sources, says the company was initially breached at its Asia offices. In addition, Bleeping Computer reports sources saying the group behind the cyberattack is Dark Angels, a ransomware gang that breaches corporate networks and spreads laterally through the network.
DHS officials are also checking to see whether any personally identifiable information of DHS officials was swept up in the hack, according to the internal correspondence reviewed by CNN.
Johnson Controls mainly provides security and building automation solutions to commercial markets, but does operate some residential brands, including Qolsys, DSC, and others, as well as operating in the indoor air quality sector.
A version of this article originally appeared on our sister site Security Sales & Integration.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!