Johnson Controls Confirms Sensitive Data Exfiltrated in Ransomware Attack


January 31, 2024

World map

Johnson Controls International, which manufactures industrial control systems and physical security equipment, announced that recovery efforts following a September ransomware racked up $27 million in losses.

Following the attack, the threat actors claimed to have exfiltrated 27 TB of confidential data, which spurred the Department of Homeland Security to launch an investigation into whether sensitive information such as DHS floor plans and security controls were compromised.  

Johnson Controls “holds classified/sensitive contracts for DHS that depict the physical security of many DHS facilities,” CNN reported at the time. This week, the company disclosed in a quarterly SEC filing that the attack did in fact result in the exfiltration of sensitive data.  

"The cybersecurity incident consisted of unauthorized access, data exfiltration, and deployment of ransomware by a third party to a portion of the Company's internal IT infrastructure," Bleeping Computer reports the filing as stating.

“Johnson Controls expects this cost to rise in the coming months as they continue to determine what data was stolen and work with external cybersecurity forensics and remediation experts.”

Takeaway: At some point, ransomware attacks are going to cross the line from cybercriminal activity to a national security incident, especially when we are talking about attacks on critical infrastructure and those involved in national security.

We know rogue nations like Russian directly control and/or influence these ransomware operators, many of which have day jobs working for Russian intelligence while moonlighting as ransomware attackers, or vice versa.

When you consider the frequency and impact these attacks are having on healthcare providers and other critical functions, they are starting to look more and more like state-sponsored terrorism, and perhaps we should start treating them as a national security threat.

Even if a ransomware attack itself is resolved and systems restored (at great cost), the fact remains that if the attackers exfiltrated intelligence of value to foreign adversaries, it should mean that an entirely different set of rules kick into place.

Cybercriminal activity is the purview of law enforcement. They investigate, collect evidence of a crime, indict and prosecute when possible.  

But when an attack drifts into the national security space, there are different rules of engagement, and they can include offensive actions deemed appropriate and proportional.

Given DHS deals with classified and highly sensitive information, it would be safe to assume they have robust protocols in place to assess the security posture of their contractors, which should include data exfiltration controls.

But in this case, it appears to not have been a state-sponsored actor behind the attack, but a ransomware group or affiliate. ‍Cybercriminal activity is the purview of law enforcement. They investigate, collect evidence of a crime, indict and prosecute when possible.  

But when an attack drifts into the national security space, there are different rules of engagement, and they can include offensive action deemed appropriate and proportional.

In the 2004 National Military Strategy, the Joint Chiefs of Staff designated cyberspace as a “domain of conflict alongside the air, land, sea, and space domains,” noting that the US Department of Defense will “maintain its ability to defend against and to engage enemy actors in this new domain.”

The overlap of cybercriminal activity with nation-state-supported operations we see with the ransomware threat conveniently allows for some plausible deniability for the rogue nations who support these attacks.

Using ransomware gangs or other seemingly independent threat actors as a proxy to conduct the attacks with the intent to maintain plausible deniability and thwart attribution is the strategy here, but it could backfire on them.

Cyber operations have become such an important aspect of larger geopolitical issues, but attribution is in many cases extremely difficult.

The U.S. and allied governments are in a tough position regarding what actions to take to stem this wave of ransomware attacks, namely because there is so much ambiguity in determining true attribution for the attacks.

Ultimately, it's the adversarial governments that are providing safe harbor for criminal elements conducting ransomware attacks with impunity, so until the U.S. government and allies directly sanction these regimes for their involvement, we will not see this spate of ransomware attacks abate any time soon.

And it's only a matter of time before we see another massively disruptive attack against a critical infrastructure or other target that threatens our national security, and then we could see the whole conversation around ransomware attacks and our collective response change significantly. is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.