[German]The manufacturer Knauf (gypsum, Plaster, building materials) fell victim to a cyber attack on June 29, 2022. The company's IT systems are affected worldwide and had to be shut down. Too much information in terms of details is unfortunately not yet known – the company hopes to have isolated the incident after the security system struck, but is still engaged in analysis. Addendum: Black Basta gang claims responsibility and has leaked data.
Advertising
I became aware of the security incident via Twitter from Ransomwaremap colleague via this tweet. The cyberattack took place on the night of June 29, 2022, at 1:00 am.
According to the company's announcement, a cybersecurity system detected this attempt by the intruders and isolated the systems in question. IT has probably shut down parts of the systems for security reasons. The goal is to minimize risk, but also to allow for further forensic investigation. I see from a job ad that their IT (also) relies on products from Microsoft, CISCO and Zscaler.
The result of this IT shutdown is therefore that IT functions worldwide are severely impacted. This affects orders for building materials and also deliveries. Currently, IT is probably investigating the incident (whether it was a ransomware infection is unknown) and trying to restore the systems. According to the subsequent announcement, email servers are also affected by the cyber incident. Knauf employees can only communicate via Microsoft Teams and mobile.
Who is Knauf?
The name Knauf is associated for me with plasterboard and bags of plaster for drywall constructions – familiar to every DIY enthusiast. And then German town Iphofen come to mind – great region, great wines – and a plaster plant in the background of this historical town. But Knauf is more: Gebr. Knauf KG, headquartered in Iphofen, Lower Franconia, is the holding company for the companies in the Knauf Group, which operates around 220 plants and 75 raw stone operations in more than 86 countries worldwide. The family-owned company is a manufacturer and distributor of systems for drywall, flooring, plaster and facades under the Knauf brand. The could generate a total of 10 billion euros in sales in 2019 with 35,000 employees.
Advertising
Announcement from Knauf
The company has since published a concise announcement on the cyber incident on its website knauf.de – I've translated the text.
In the spirit of trusting and transparent cooperation, we would like to inform you that our systems were the target of a cyberattack on the night of Wednesday, June 29, at approximately 1 a.m. (CEST).
Our cybersecurity system responded immediately and managed to isolate the incident. However, parts of the systems were shut down for security reasons, including to conduct further forensic investigations.
Currently, our systems are therefore impacted, affecting orders and deliveries. We are working to resolve the issues as quickly as possible; however, operations are currently limited. We are working hard to limit the impact to you – our customers and partners – and are working on a secure recovery.
We are unfortunately unable to respond to emails at this time, but cell phone numbers and also TEAMS are working.
Please be assured that we will keep you updated on further progress, and report back immediately when we are able to resume business as usual.
We thank you for your understanding and trust.
Attack from Black Basta
Addendum: Ransomware group Black Basta claimed responsibility for the attack on July 16, 2022, as Bleeping Computer colleagues mention in this article. Meanwhile, 20% of the captured files have been published by the cyber criminals. According to Bleeping Computer, the published data includes emails, user credentials, employee contact information, production documents and ID scans.
Black-Basta is a ransomware gang that has been offering Ransome-as-a-Service (RaaS) operations since April 2022. The group works with double extortion (encrypting data, publishing data). The group cooperates with Qbot (QuakBot) operators in infecting the targeted systems. Black-Basta can infect Windows and Linux, as well as VMware ESXi systems.
