Skip to content

Search the site

Delta Electronics, $9B supplier to Dell, HP, struck by ransomware

Hey kids! Rember not to join the domain with your backup servers.

UPDATED 09:50 GTM January 29, 2022 with Delta Electronics further denying operational impact, restoration of its website.

Global electronics supply chains are already suffering disruption. A ransomware attack on Delta Electronics – a $9 billion-by-annual-revenue Taiwanese supplier to Dell, HP other blue chips may prove another fly in the ointment – although the company insists that impact has been limited to non-critical networks.

The attackers meanwhile claim that they have encrypted 1,500 servers and 12,000 computers out of ~65,000 devices on Delta's network, according to Taiwanese reports. At the front-end, Delta Electronics’  homepage remained unavailable for what it insisted on describing as “system maintenance” as The Stack published, as did customer support and service sites for the US and EMEA, some 10 days after the attack.

(It was later restored 11 days after the attack.)

Kronos attack: backup access targeted amid cold storage overhaul vow

Delta Electronics, founded in 1971, provides switching power supplies, thermal management products and “smart energy systems” for industrial automation, building automation, telecom power, data center infrastructure, EV charging, renewable energy, energy storage and display systems globally.

The company’s sales, R&D, and manufacturing facilities span 200 locations and five continents.

Vitali Kremez, CEO of cybersecurity intelligence firm AdvIntel, said that his company intelligence revealed that the attack tapped the widely used Cobalt Strike software and a remote monitoring and management software from Atera – widely deployed by MSPs – for persistence as part of the attack on January 18, 2022.

See also: 10 insights into UK’s bullish new national cybersecurity strategy

Delta Electronics has run into trenchant criticism over its own product security over the years. Recent advisories for its own products include a critical remote code execution (RCE) vulnerability in its communication management software, and accompanying PLC simulator. Other examples are not hard to come by.

One critic this week claimed it was ““destined to get hit” – with cyber intelligence organisation Treadstone 71 pointing to its 2016 concerns that a Russian company had set up a series of identically branded companies that it feared were being used to compromise the supply chain with an eye to shipping infected products to the energy sector. That seems like a lot of effort when Delta Electronics has been shipping so many products with RCE bugs and while detailing some evidence on domain typosquatting and other efforts, it did not actually furnish proof that any supply chain breach had occurred, but claimed that the “amount of malware embedded in software destined for PLCs worldwide was enormous.” Bad code is certainly rife; Hanlon's Razor may of course apply.

Regardless, Delta Electronics was criticised in late 2021 for having failed (six months after it was notified through CISA) to patch a series of critical SQL injection bugs in its DIAEnergie product (an industrial energy management system) that can be exploited by remote, unauthenticated attackers to execute arbitrary code. Whether shipping appallingly insecure products to customers equates to also having a poor internal security posture is an open question that plenty of other major hardware and software companies could be asked.

The company added in an updated statement (translated from Chinese) on January 28 that reports of operational impact are "not true... The actual situation is subject to the company's announcement. All systems related to Delta's operations have returned to normal, and the current assessment has no major impact on the company's operations. The company currently conducts a comprehensive and thorough scan and inspection of all domains, web pages and related files. After ensuring information security with high standards, the official website can operate. The information security restoration of this website has nothing to do with important operational behaviors."

Follow The Stack on LinkedIn