{"id":34169,"date":"2024-06-13T19:46:47","date_gmt":"2024-06-13T17:46:47","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=34169"},"modified":"2024-06-19T02:08:56","modified_gmt":"2024-06-19T00:08:56","slug":"crown-equipment-victim-of-a-cyber-attack-sites-and-production-down","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2024\/06\/13\/crown-equipment-victim-of-a-cyber-attack-sites-and-production-down\/","title":{"rendered":"Crown Equipment victim of a cyber attack? &#8211; sites and production down"},"content":{"rendered":"<p><img decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline;\" title=\"Sicherheit (Pexels, allgemeine Nutzung)\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2021\/04\/Sicherheit_klein.jpg\" alt=\"Sicherheit (Pexels, allgemeine Nutzung)\" width=\"200\" align=\"left\" \/>[<a href=\"https:\/\/www.borncity.com\/blog\/2024\/06\/13\/gabelstapler-hersteller-crown-webseiten-down-was-ist-da-los\/\" target=\"_blank\" rel=\"noopener\">German<\/a>]According to my information, the forklift manufacturer, Crown Equipment Corporation, has been the (possibile) victim of a cyber attack. The websites are no longer accessible &#8211; and employees are being sent home. Production plants has been shut down since Monday, June 10, 2024). In the USA, it is said that people have not been paid either. Officially, the company is tight lipped &#8211; here is the information I have researched.<\/p>\n<p><!--more--><\/p>\n<h2>Who is Crown Equipment Corporation?<\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/vg09.met.vgwort.de\/na\/af53b210367146b9acb803dd098d43fe\" alt=\"\" width=\"1\" height=\"1\" \/><a href=\"https:\/\/en.wikipedia.org\/wiki\/Crown_Equipment_Corporation\" target=\"_blank\" rel=\"noopener\">Crown Equipment Corporation<\/a> is the world's fifth largest manufacturer of forklift trucks, industrial trucks and high-rack conveyors. The US company is headquartered in New Bremen, Ohio, United States.<\/p>\n<p>There are four other regional company headquarters in Australia, China, Germany and Singapore. The European company headquarters in Feldkirchen near Munich in Upper Bavaria is responsible for the Europe, Middle East, Africa and India region. There also appears to be a production facility in Roding, in the district of Cham, Bavaria, Germany.<img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/vg09.met.vgwort.de\/na\/d6fede7637b345c6be655cb236c29db5\" alt=\"\" width=\"1\" height=\"1\" \/><\/p>\n<h2>Worldwide IT outage &#8211; production down<\/h2>\n<p>German blog reader Christian Z. sent me yesterday an e-mail drawing my attention to a <a href=\"https:\/\/www.mittelbayerische.de\/lokales\/landkreis-cham\/weltweite-it-probleme-crown-produktion-in-roding-steht-seit-einigen-tagen-still-16232811?fbclid=IwZXh0bgNhZW0CMTEAAR0nOsgYGGn4lg5uBDT90XkN01CuystB2tVv6w0pTYZ0kfMzovqtUpJI0Yc_aem_AV1_2M1RxUpJlULoRAx28--e905oz3jEX4LaFO_ZvuTHCbK2joHP3U7f90fKQm-fyLjeYYWnUk9apYhKYuBvdwZa\" target=\"_blank\" rel=\"noopener\">report<\/a> in the Mittelbayrische newspaper (thanks for that), which talks about worldwide IT system outage at this company. The Crown website (crown[.]com) is not available.<\/p>\n<p><img decoding=\"async\" title=\"crown.com is temporarily unavailable\" src=\"https:\/\/i.postimg.cc\/25YrNgfJ\/image.png\" alt=\"crown.com is temporarily unavailable\" \/><\/p>\n<p>Any attempt to visit the web site end with the message \"crown.com is temporarily unavailable\" (see the screenshot above). Wouldn't be a problem yet, maybe the web server is down or under maintenance. But the Mittelbayrische report doesn't sound good in this context.<\/p>\n<ul>\n<li>Since Monday, June 10, 2024, production at the forklift truck manufacturer's two sites in Roding (Cham district in Germany) has been at a standstill.<\/li>\n<li>The switchboard is dead, so the manufacturer cannot be reached by phone.<\/li>\n<li>Crown's website (crown[.]com) is down worldwide.<\/li>\n<\/ul>\n<p>And there are reports of IT problems worldwide. Some of the employees from Roding were sent home. According to the report, the Crown managing director on site in Roding was unable to say exactly what had happened. There are recent posts on the company's Facebook pages, but no explanation of what is going on. The Bing crawler was last able to visit the page on June 9, 2024. With the overall picture above, I'm guessing a ransomware attack.<\/p>\n<h2>Was it a Cyberattack?<\/h2>\n<p>While des Management of Crown Equipment Corporation is tight lipped, my blog readers provided me with references to sources, explaining what happens. Sandra postet a comment linking to <a href=\"https:\/\/x.com\/jeffafffa\/status\/1801005827551097283\" target=\"_blank\" rel=\"noopener\">this tweet<\/a> saying:<\/p>\n<blockquote><p>thanks for letting your servers be hacked and not paying your employees. It's not like we have bills or anything. I thought I worked for a better company.<\/p><\/blockquote>\n<p>It's obviously an employee, that is struggling now, but this is a \"suspicion\". And I found a 2nd <a href=\"https:\/\/x.com\/JohnSmi63996754\/status\/1801288677449929119\" target=\"_blank\" rel=\"noopener\">tweet<\/a>, a reader forwarded to me (thanks to all my sources).<\/p>\n<blockquote><p>Hey Jon I work for Crown Equipment, billion dollar company with 19,000 plus employees. We were hit with a cyberattack and are currently not working. Now they tell us no pay! This after bragging about being an employee first company, have to love corporate America.<\/p><\/blockquote>\n<p>It's the 2nd independent confirmation, that Crown Equipment Corporation coudl be ictim of a cyber attack. At reddit.com there is a thread <a class=\"broken_link\" href=\"https:\/\/www.reddit.com\/r\/LinusTechTips\/comments\/1denozy\/crown_lift_trucks_experiencing_phishing_hack\/\" target=\"_blank\" rel=\"noopener nofollow\">Crown Lift Trucks experiencing phishing hack. Company told staff to stay home for \"further updates\" and told them to seek unemployment while systems are offline<\/a>, somebody startet with:<\/p>\n<blockquote><p>2 days now we've been kept in the dark. No way to clock time, no service manuals or parts manuals but still expected to be billing. It's been a shitshow and no updates on what's going on or when we'll be back online<\/p><\/blockquote>\n<p>An ex-employee from this area writes:<\/p>\n<blockquote><p>As someone who has worked with Crown forklifts for about a decade, this is the price the company gets for moving away from books and psrt (name of parts and service catalog) offline on an SD card in an Android tablet.<\/p><\/blockquote>\n<p>Looks like Crown was fully digitized. An employee of the company outed himself in the thread and wrote:<\/p>\n<blockquote><p>I currently work there. Everyone is desperate, can't order parts except from TVH and that's for emergencies only. The company has not yet officially announced that it has been hacked, but they keep emphasizing the importance of MFA. We can read between the lines.<\/p><\/blockquote>\n<p>What strikes me: there is no public announcement of what happened to the company. And the mention of multifactor authentication (MFA) in the context of the phishing attack mentioned above completes the picture.<\/p>\n<p>Incidentally, during my research I also noticed that Crown has been looking for cybersecurity experts in the past. If somebody has further insights, feel free to drop a comment or contact my via e-mail (see the about page), if discretion is required.<\/p>\n<h3>More information I got<\/h3>\n<p>Now I got more and more feedback from sources involved in that matter. Some workers say they don't get payed (see also <a href=\"https:\/\/www.reddit.com\/r\/WorkReform\/comments\/1df5wg6\/billion_dollar_co_crown_equipment_not_paying\/\" target=\"_blank\" rel=\"noopener\">this reddit.com<\/a> thread). I've heard that they will try on \"Monday\" a manual payment for their workers &#8211; but people asked to take vacation time or asked for unemployment.<\/p>\n<p>Investigative journalist George Webb has a\u00a0<a href=\"https:\/\/x.com\/RealGeorgeWebb1\/status\/1801810828678807584\" target=\"_blank\" rel=\"noopener\">video statement<\/a> on X, which doesn't reveal details what's going on at Crown Construction, but shed light on the company structure of the owners.<\/p>\n<p>The information I got from multiple sources spread from \"hacking attempt, somebody just opened a file, but systems shut down immediately\" (see post from mightbeBOND in <a href=\"https:\/\/www.reddit.com\/r\/forkliftmechanics\/comments\/1ddstgp\/comment\/l8be6b2\/\" target=\"_blank\" rel=\"noopener\">this reddit.com<\/a> thread), to \"installed a fake VPN and gained control to everything\" (see <a href=\"https:\/\/www.reddit.com\/r\/forkliftmechanics\/comments\/1ddstgp\/comment\/l8cvkhq\/\" target=\"_blank\" rel=\"noopener\">comment from DragonflyJust2223 <\/a> at reddit.com) up to \"they have it all, blue prints floating in the internet\" (see Derrickspartan1's post within <a href=\"https:\/\/www.reddit.com\/r\/Ohio\/comments\/1df5ltf\/comment\/l8m54dh\/\" target=\"_blank\" rel=\"noopener\">this reddit.com<\/a> thread).<\/p>\n<h3>Insides from the company<\/h3>\n<p>I've seen also some advices from Crown HR department dealing with lost work shift for hourly employees, advice to technicians and sales people and so on. Within this advices employees are instructed, not the clear the data from their tablets and await additional directions.<\/p>\n<p>In a statement all employees was told that \"the department\" has implemented additional \"system security measures\". The timeout function of\u00a0multi factor authentication (MFA) has been \"reduced effective immediately\". All employees will experience an increase in the number of prompts when accessing system resources. They shall ignore MFA prompts, if not attempting to access resources and call an internal telephone number.<\/p>\n<p>They told it's employees also, that a temporary policy is in place, restricting access to Office 365 (so applications as E-Mail, Teams, SharePoint and OneDrive) are only available on company devices. It was mentioned that this \"additional system security measures\" are important to recovery efforts into getting the systems back up and running.<\/p>\n<h3>It wasn't a hack, it was a coding error<\/h3>\n<p>The latest information I got from a reader, who claims, that \"Crown was not actually hit by a cyber attack\". Instead it's probably a \"coding error\" who send their software system (crown 365), used for everything from payroll to email to sales to catalog services, downhill. But how probable is a \"coding error\", that forces all systems offline for a week? In such cases a backup might bring all systems back within hours.<\/p>\n<h2>An example how not to deal with such an incident<\/h2>\n<p>Pretty much speculation at all. What we know for sure: All their IT systems are down and they are working manually or shut down their production plants worldwide.<\/p>\n<p>Let's hope for all customers and employees, that things get sorted out on Monday (June 17, 2024). This is an excellent example, how such an incident should not be handled by a company's management &#8211; just a short note \"Hello, we have a global outage of our IT systems, because it's &#8230; [ ]a technical issue \/ [ ]a cyber incident\" would keep customers informed and ends speculation (except, the note is based on false claims). I asked on Facebook for a statement a few days ago, but no answer till yet.<\/p>\n<p><strong>Update from June 19, 2024:<\/strong> Crown has informed it's employees, that a ransomware attack has grounded their it system. All further details and discussions will be found within my new blog post\u00a0<a href=\"https:\/\/borncity.com\/win\/2024\/06\/19\/crown-equipment-corporation-victim-of-a-ransomware-attack\/\">Crown Equipment Corporation victim of a Ransomware attack<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]According to my information, the forklift manufacturer, Crown Equipment Corporation, has been the (possibile) victim of a cyber attack. The websites are no longer accessible &#8211; and employees are being sent home. Production plants has been shut down since Monday, &hellip; <a href=\"https:\/\/borncity.com\/win\/2024\/06\/13\/crown-equipment-victim-of-a-cyber-attack-sites-and-production-down\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580],"tags":[69],"class_list":["post-34169","post","type-post","status-publish","format-standard","hentry","category-security","tag-security"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/34169","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=34169"}],"version-history":[{"count":11,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/34169\/revisions"}],"predecessor-version":[{"id":34239,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/34169\/revisions\/34239"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=34169"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=34169"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=34169"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}