Knauf Group, one of the world’s largest suppliers of building materials, remains impacted by a ransomware attack nearly a month after the incident, the €12.5 billion (by 2021 sales) firm has confirmed as it continues its recovery.
The German multinational, which has 300 factories and a footprint in 90 countries, employs 40,000 including in the UK at plasterboard manufacturing facilities in Sittingbourne, Kent, and North East Lincolnshire.
It is owned by one of Germany’s richest families and makes insulation, plasterboard, cement board, plaster and other products. (The company is one of the few European multinational's to continue operations in Russia, where it has over 3,900 staff at 14 sites.) Shipments have been affected and the firm has apologised for delivery delays.
The Knauf Group ransomware attack took place on June 29, 2022. The incident resulted in emails as well product-ordering software being taken offline, the company said in a series of updates for customers.
As ever, the extent of the compromise was hard to ascertain from the outside, with systems being rapidly shut down in the wake of the attack in a bid to contain its impact: “Many of our systems and email communication are fully functional again, other areas are currently being restarted” it said on July 20, but was still directing customers to rapidly spun up alternative PDF forms for product orders as The Stack published on July 20.
The incident could not have come at a worse time for a construction industry already embattled by supply chain issues and rampant inflation in the wake of the pandemic, which caused raw material shortages for a huge range of construction materials – plasterboard prices were reported as set to soar up to 25% in July.
Knauf Group ransomware attack: Emails hit, Teams stayed up
The attack has been claimed by ransomware group “Black Basta” which has leaked data from Knauf on its .onion “dark web” site. The ransomware group emerged in April 2022. It has been tracked evading defensive action by Windows Defender and deleting Veeam backups from Hyper-V servers among other techniques.
Security firm Trend Micro has seen Black Basta use malicious Excel files attached to phishing emails as one initial mode of access to a network. Attackers typically start target Windows systems in safe mode before encryption to take advantage of the fact that third-party endpoint detection solutions may not start after booting the operating system in safe mode, allowing the malware to avoid detection.
NCC Group in June reported Black Basta as making particular use of Qakbot (also known as QBot) malware to move laterally, although such groups’ techniques tend to gravitate towards a “whatever works” approach.
Regardless, it is arguably notable that Switzerland’s cybersecurity authority had reported a surge in Qakbot activity in March. Describing it pithily as “a type of malware that is spread via emails” the Swiss NCSC noted that attackers “often use existing email conversations (e.g. with suppliers or clients) that have fallen into their hands through previous attacks, exploit them as a gateway to penetrate corporate networks unnoticed…”
After the Knauf Group ransomware attack it emphasised the Teams was still up, even as email was down.
Data from IBM shows that manufacturing became the most attacked sector in 2021, dethroning financial services and insurance for the first time: “While phishing was the most common cause of cyberattacks in general in the past year, IBM Security X-Force observed a 33% increase in attacks caused by vulnerability exploitation of unpatched software, a point of entry that ransomware actors relied on more than any other to carry out their attacks in 2021, representing the cause of 44% of ransomware attacks” IBM said in February.
The manufacturing industry is also one of the hardest to defend. A sprawling attack surface, staff often culturally not attuned to cybersecurity threats, operational technology systems shipped from manufacturers running ancient and insecure operating systems or other software are all challenges security professionals face.
Hugops to Knauf Group — which is hiring heavily in its IT function amid what appears to be a significant digital transformation programme, including new posts across network architecture (IT and OT), M&A infrastructure IT, project manager for legacy applications and, yes, a brace of mid-tier cybersecurity manager posts.