Foxconn Attack Highlights Manufacturing's Cyber Crisis

CYBERATTACKS & DATA BREACHES CYBER RISK THREAT INTELLIGENCE VULNERABILITIES & THREATS NEWS Foxconn Attack Highlights Manufacturing's Cyber Crisis A Nitrogen ransomware attack on Foxconn's North American facilities is one of 600 hits on manufacturers this year, as gangs increasingly target the sector for its low tolerance for downtime. Jai Vijayan,Contributing Writer May 14, 2026 5 Min Read SOURCE: TADA IMAGES VIA SHUTTERSTOCK An apparent ransomware attack on several of Foxconn's North American facilities is the latest reminder that manufacturing companies are among the most targeted in cybercrime, because of their central role in high-value supply chains and low-tolerance for downtime. Foxconn this week admitted that a cyberattack had affected operations at some of its North American facilities. In a brief statement to Dark Reading, the world's largest contract electronics manufacturer stopped short of describing the attack as a ransomware incident, and did not disclose the scope or the impact of the breach, but confirmed that a malicious actor was behind the incident. Nitrogen Ransomware Gang Claims Credit for Breach "Some of Foxconn's factories in North America suffered a cyberattack," said the company, whose clients include Apple, Nvidia, Amazon, Dell, Google, Huawei, Microsoft, Nintendo, Sony, and Xiaomi. "The cybersecurity team immediately activated the response mechanism and implemented multiple operational measures to ensure the continuity of production and delivery. The affected factories are currently resuming normal production." Related:China's 'FamousSparrow' APT Nests in South Caucasus Energy Firm Earlier this week, ransomware group Nitrogen claimed credit for the attack on its leak site, according to threat intelligence firm Hackmanac. The threat actor claimed it had exfiltrated more than 11 million files, amounting to some 8TBs of data, from Foxconn, Hackmanac said. The stolen data allegedly included "confidential instructions, internal project documentation, and technical drawings related to projects involving Intel, Apple, Google, Dell, Nvidia, and other companies," Hackmanac said. Sofia Scozzari, CEO and founder of Hackmanac, tells Dark Reading that the sample files that Nitrogen uploaded to its leak site allegedly included Foxconn financial records, engineering schematics, motherboard and PCB diagrams, server platform documentation, power distribution guidelines, thermal and liquid leakage sensor designs, I3C/I2C topology specifications, and manufacturing process documents.  "The exposed materials also reference confidential technical documentation associated with JPMorgan Chase, Google, Intel, NVIDIA, AMD, ASPEED, Renesas, Hewlett Packard Enterprise, and Tencent," Scozzari says. At this stage, there is no confirmation that Foxconn paid a ransom, she says. "However, the company is still listed on the Nitrogen ransomware group's onion leak site, which suggests that either negotiations are ongoing, or the company has decided not to pay the ransom." Related:Tech Can't Stop These Threats — Your People Can Manufacturers: A Prime Target for Ransomware It's unclear how Nitrogen actors gained initial access to Foxconn. But previous investigations into Nitrogen-related campaigns have shown that the group uses SEO poisoning and fake software downloads to distribute malicious installers, often impersonating tools such as Advanced IP Scanner, AnyDesk, WinSCP, or Cisco AnyConnect, Scozzari says. The attack is one of hundreds that have targeted manufacturing companies in recent months. Data that Comparitech has compiled show as many as 600 ransomware attacks on manufacturing companies so far this year, with 55 of those victims confirming the incidents. For those with available data, median ransomware payments hover at $400,000, according to Comparitech. Rebecca Moody, head of data research at Comparitech, says manufacturers are a high-value target for ransomware groups because of the important role they play as suppliers to other companies, and also for the data they hold. With the attack on Foxconn, Nitrogen had two chances of receiving a ransom, she says: one for decrypting the systems, and the other for deleting stolen data belonging to Foxconn's clients. "We have seen an influx of attacks on manufacturers over the last year or so, which may suggest they've been pinpointed by some gangs as an 'easier' and more lucrative target," Moody says. A number of gangs appear to have shifted their focus away from previous key targets, like healthcare, to focus on manufacturers.  Related:ShinyHunters Claims Second Attack Against Instructure Attackers know that manufacturers can ill afford downtime, and are perhaps more likely to succumb to ransom payments to have key systems restored, especially when they are part of larger supply chains.  "They may also deal with a number of different and high-profile clients — as Foxconn does — providing hackers with a central target to access data from multiple companies and hold this to ransom, too," Moody says. "This supply chain disruption/access to sensitive data from multiple companies also makes them a prime target for state-sponsored hackers — as we saw with Stryker recently," she adds. In a prepared comment, Ismael Valenzuela, Arctic Wolf’s vice president of labs threat research and intelligence, described Nitrogen's Foxconn attack as being different from its usual and highly consistent focus on smaller and medium sized firms tied to industrial operations and supply chains. "These are businesses that keep supply chains running but often lack the depth of security resources found in large enterprises, making them reliable and repeatable targets," he said. Nitrogen's victim profile also shows a clear targeting of shared vendors and common access points, such as managed service providers, remote access tools, or widely used software platforms that connect multiple companies, he added. Arctic Wolf's 2026 "Threat Report" revealed manufacturing to be the most heavily targeted sector for ransomware, with nearly 70% more victims than the next most targeted industry. The targeting reflects reflecting the focus of attackers on organizations where downtime directly halts revenue and production, according to the cybersecurity vendor. Don't miss the latest Dark Reading Confidential podcast, How the Story of a USB Penetration Test Went Viral. Two decades ago Dark Reading posted its first blockbuster piece — a column by a pen tester who sprinkled rigged thumb drives around a credit union parking lot and let curious employees do the rest. This episode looks back at the history-making piece with its author, Steve Stasiukonis. Listen now! About the Author Jai Vijayan Contributing Writer Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management 2025 State of Malware Access More Research Webinars Your Guide to Securing AI Adoption in Your Organization What is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization? The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud Workspace Prompt Injection Is Just the Start: Securing LLMs in AI Systems Anatomy of a Data Breach: What to Do if it Happens to You More Webinars You May Also Like CYBERATTACKS & DATA BREACHES Critical Fortinet Flaws Under Active Attack by Jai Vijayan, Contributing Writer DEC 17, 2025 CYBERATTACKS & DATA BREACHES CISA Warns of 'Ongoing' Brickstorm Backdoor Attacks by Rob Wright DEC 04, 2025 CYBERATTACKS & DATA BREACHES F5 BIG-IP Environment Breached by Nation-State Actor by Alexander Culafi OCT 15, 2025 CYBERATTACKS & DATA BREACHES Jaguar Land Rover Shows Cyberattacks Mean (Bad) Business by Robert Lemos, Contributing Writer OCT 03, 2025 Editor's Choice THREAT INTELLIGENCE From Stuxnet to ChatGPT: 20 News Events That Shaped Cyber byDark Reading Editorial Team MAY 6, 2026 31 MIN READ CYBER RISK Physical Cargo Theft Gets a Boost From Cybercriminals byRobert Lemos MAY 4, 2026 5 MIN READ CYBER RISK NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later byDark Reading Editorial Team APR 28, 2026 Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE RSAC 2026: key news & insights At RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much more Get Your Recap Webinars Your Guide to Securing AI Adoption in Your Organization TUES, JUNE 9, 2026 AT 1PM EST What is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization? WED, JUNE 3, 2026 AT 1PM EST The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud Workspace WED, JUNE 24,2026 AT 1PM EST Prompt Injection Is Just the Start: Securing LLMs in AI Systems TUES, MAY 26, 2026, AT 1PM EST Anatomy of a Data Breach: What to Do if it Happens to You JUNE 18TH, 2026 | 11:00AM -5:00PM ET | DOORS OPEN AT 10:30AM ET More Webinars BLACK HAT USA | MANDALAY BAY, LAS VEGAS The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass. GET YOUR PASS