manufacturing - TrustStrike Labs

breach

2026-05-13

Foxconn confirms cyberattack on North American factories - Nitrogen ransomware crew claims 8 TB stolen including Apple, Intel, Google, Dell, and Nvidia project files

Foxconn confirmed Tuesday that a cyberattack hit several North American factories, with its Wisconsin Mount Pleasant facility halting production for a week starting May 1. Workers were told to power off computers and revert to paper timesheets. Nitrogen ransomware group claimed responsibility, posting 8 TB of stolen data covering 11 million files - allegedly including project documentation tied to Apple, Intel, Google, Dell, AMD, and Nvidia. Foxconn says production is resuming. This is the fourth ransomware attack on a Foxconn entity since 2020.

foxconn nitrogen-ransomware manufacturing wisconsin supply-chain apple intel google nvidia dell amd 8tb 11m-files

Check: If your organization is a Foxconn customer sharing technical documentation, audit which projects had files staged at the Mount Pleasant facility between January and May.
Affected: Foxconn customers with data at the Wisconsin facility - Apple, Intel, Google, Dell, AMD, Nvidia, Cisco, Microsoft. Acute: organizations whose chip architecture or data center topology documents were shared for server or AI infrastructure production.
Fix: Contact Foxconn directly to confirm what was exfiltrated. Treat any technical documentation shared with Mount Pleasant since 2024 as potentially exposed. Rotate credentials, API keys, or signing certificates Foxconn held.

threat

2026-05-08

Two pro-Ukraine hacker groups appear to be teaming up to attack Russian companies - sharing servers and tools across phishing and espionage operations

Update on the Head Mare campaign we covered April 28: Kaspersky now reports that BO Team (also known as Black Owl) and Head Mare appear to be coordinating cyber operations against Russian organizations, sharing command-and-control infrastructure on the same compromised hosts. The likely division of labor: Head Mare phishes for initial access, then BO Team takes over for malware deployment. BO Team has shifted from destructive attacks to covert espionage, and in Q1 2026 hit 20 Russian organizations across manufacturing, telecoms, and oil and gas. The group uses BrockenDoor and Remcos backdoors. Earlier BO Team campaigns hit a Russian drone supplier and the federal digital signature authority.

bo-team black-owl head-mare phantomcore follow-up pro-ukraine-hacktivists russia kaspersky brockendoor remcos manufacturing telecoms oil-gas ukrainian-military-intelligence

Check: If your organization operates in Russia or has Russian subsidiaries, search proxy logs for BrockenDoor or Remcos C2 infrastructure since January. Hunt phishing emails referencing manufacturing, telecom, or oil and gas subjects with malicious documents.
Affected: Russian organizations across manufacturing, telecoms, and oil and gas - BO Team's Q1 2026 target list. By extension, Russian subsidiaries of Western multinationals operating in these sectors. The pattern of pro-Ukraine hacktivists coordinating with state-aligned operations means defenders cannot treat hacktivist incidents as opportunistic - they may be one stage of a longer espionage operation.
Fix: Block known BrockenDoor and Remcos C2 indicators per Kaspersky's published IoCs. Monitor for the phishing→malware deployment handoff pattern: phishing email landing followed within days by C2 traffic from a different actor. For organizations not in Russia: this is a template for how hacktivist groups in other regional conflicts may coordinate; expect the same pattern in Middle East and APAC tensions.