ABB, a renowned Swiss robotics company, recently fell victim to a cyber attack orchestrated by the notorious Black Basta ransomware group. This incident had far-reaching consequences, impacting numerous devices within the company’s network. In response, ABB promptly took action, suspending VPN connections with customers to prevent the malware from spreading to other networks. However, the attack still caused significant disruptions to ABB’s operations, delaying projects and affecting the functioning of their factories.
As a global leader in robotics, ABB boasts an extensive clientele representing various sectors of the economy, both in the public and private domains. The company’s website proudly showcases their successful partnerships with numerous federal agencies, including the U.S. Army Corps of Engineers, the Departments of the Interior, Transportation, Energy, and the U.S. Coast Guard, as well as the U.S. Postal Service. With over 40 engineering, manufacturing, research, and service facilities in the United States alone, ABB’s presence is substantial.
The initial breach occurred on May 7, when Black Basta targeted ABB through Windows Active Directory, infecting hundreds of devices within the company’s network. Consequently, the attack had a profound impact, disrupting ABB’s workflow, causing project delays, and impeding the normal operation of their factories.
Initially hesitant to comment on the cyber attack, ABB eventually released an official statement, acknowledging the incident and its repercussions. The company assured stakeholders that they had taken immediate measures to contain the breach, which resulted in some operational disruptions. However, ABB reassured its customers that the majority of systems and factories were now operational, and they were actively working to mitigate the incident’s impact.
Black Basta, the ransomware operator responsible for the attack, is a criminal organization that offers Ransomware-as-a-Service (RaaS). Emerging in early 2022, Black Basta quickly gained notoriety as one of the most active RaaS threat groups worldwide. Within its first few months of operation, it successfully targeted over 100 victims.
To infiltrate victims’ networks, Black Basta employs a range of techniques, including spam mailings, exploiting software vulnerabilities, and purchasing access from other hackers. Noteworthy tools utilized by Black Basta include QakBot, Mimikatz, PowerShell, and PsExec, which enable the collection of credentials and network traversal. For remote management of infected systems, Black Basta leverages Cobalt Strike and SystemBC. Additionally, the group exploits vulnerabilities such as ZeroLogon, NoPac, and PrintNightmare to escalate privileges.
The file encryption stage begins with Black Basta disabling antivirus products, remotely executing the payload through PowerShell, and eliminating shadow copies of the system using vssadmin.exe. Subsequently, the ransomware is deployed, employing a combination of ECC and XChaCha20 algorithms to encrypt user data. Notably, Black Basta has associations with the FIN7 group (Carbanak), which specializes in bank data theft. The similarity of modules for EDR traversal and the intersection of IP addresses for command and control operations further substantiate this connection.
The ABB cyber attack serves as a stark reminder of the persistent threats faced by companies operating in the digital age. As cybercriminals continue to evolve their tactics and exploit vulnerabilities, organizations must remain vigilant, continually adapting their security measures to safeguard their systems and data. ABB’s proactive response to the incident demonstrates the importance of swift action and collaboration with customers and partners to minimize the impact of such attacks. By learning from these experiences, companies can enhance their cybersecurity practices, ensuring a more resilient future in the face of emerging threats.