For a long time there was no statement from Continental on the cyber attack, the theft of 40 TB of data and the ransom demand of first 50 and then 40 million dollars. Continental is now clarifying what happened and how to react.
The actual attack on Continental probably took place in August 2022. At that time, Continental announced that everything was fine. It was announced that the attack had been noticed and warded off. But far from it: the hackers were probably still on the Continental network at the time or still had access. In day-to-day operations, more than 40 TB of data was skimmed off over an unknown period of time – without Continental noticing.
Continental is now providing public information
Continental now announces: “Continental has been targeted by cybercriminals. The company averted the attack in early August and restored the integrity of its IT systems. Continental's business activities were never affected. The investigation of the incident has meanwhile revealed that the attackers were also able to steal part of the data from the affected IT systems, despite established security precautions. The investigation and data analysis, carried out with the support of external cybersecurity experts, is still ongoing and is being carried out with the highest priority.”
Short course of data theft
The company itself describes how some steps of the cyber attack took place. Here is an abridged version:
- August 4, 2022: Continental immediately begins investigating the matter. The company also works with external experts.
- The attacker made contact with Continental in mid-September. Continental subsequently cut off contact with the attackers.
- On November 9, 2022, the attacker offered to delete or sell the data for $50 million on the dark web. This was reduced to $29 million on November 2022, 40.
- Additionally, on November 10, 2022, the attacker released a list of the data they say they have in their possession. No detailed file contents will be published.
- Continental is currently assuming a data leak of more than 40 TB. No file content has been released at this time.
- Continental currently has no indication that data has been manipulated or products have been compromised.
- Continental works with a renowned auditing company for technology-supported data analysis.
No ransom payment - advice from the BSI
Furthermore, the company's management says "Continental will not accept ransom payments. Paying a ransom would only help to continue funding attacks on the security of critical infrastructure such as power supplies and hospitals, educational institutions and the economy. With this attitude, the company is also following existing recommendations from the Federal Office for Information Security (BSI), the Federal Criminal Police Office (BKA) and the Federal Government.”
Why didn't anyone notice?
According to Continental, this is not unusual, as experience has shown that ransomware attacks remain undetected for several months on average. "One of the reasons for this is that large companies in particular exchange a lot of data, and a data transfer of around 40 TB, as in the present case, is not immediately significant." Other reports said the company moves around 200 TB per day. At the same time, the further forensic evaluation will still take some time, because "Due to the potential amount of data (more than 55 million file entries), the data analysis will probably take several weeks."
How did the hackers get into Continental?
The company says: “The investigation into the cyber attack is still ongoing, including the investigation into where the attackers were able to start. Initial findings suggest that the attackers gained access to the Continental systems using disguised malware executed by an employee." According to various media, an employee is said to have installed an unauthorized browser. This either already had malicious code on board or led to a corresponding source. Why an employee has the rights to install software at all was not answered.
What are the economic consequences?
Continental is also wondering what economic consequences the cyber attack could have on Continental. The answer to this is only succinctly “There are currently no further details available about the possible consequences.” However, the other companies should not see things quite so simply. Because the stolen data should also have included documents from Mercedes, BMW and VW. If product developments or other things are endangered in this way or if data gets to competitors, this could have further repercussions for Continental.
A comment by Michael Pietsch from Rubrik
The automotive supplier Continental fell victim to a ransomware attack. The case shows how important it is to use security solutions that continuously monitor the network and raise an alarm in the event of irregularities.
“To that end, organizations can learn something from Continental's case. The group only noticed months after the hacker attack was discovered that a large amount of data had been stolen from the network. To address this, there are security solutions that continuously monitor the network and raise an alarm in the event of irregularities. This enables quick action and prevents far-reaching effects.
That's why cybersecurity experts recommend building data security around three pillars: data resilience, data visibility, and data recovery. Users achieve resilience through unchangeable backup copies of their data. Immutable data is untouchable and cannot be encrypted by hackers. Visibility is guaranteed by constant monitoring of all data streams.
This also includes knowing at all times who has access to which data and when it was used. This information can be used to identify and stop suspicious activity. Backups are used to restore important data. If they are stored in a safe place and are quickly available, the victims of a ransomware attack may be able to bring their systems back online in a timely manner. Those who adhere to these principles can minimize the risk and damage potential of a cyber attack.” so Michael Pietsch from Rubrik.
More at Continental.com