The electronics manufacturing titan, Foxconn, finds itself once again at the mercy of cybercriminals. A ransomware group, identified as Nitrogen, claims to have exfiltrated a staggering 8 terabytes of sensitive data, including critical schematics and project details belonging to high-profile clients such as Dell, Google, Apple, and Nvidia. While Foxconn has yet to publicly confirm the full extent of the data theft, the company has acknowledged a “cyberattack” impacting some of its North American facilities, with production reportedly “resuming normal operations” after initial disruptions.
Foxconn: A Prime Target in the Cyber Underworld
Foxconn’s sprawling global operations and its pivotal role as a manufacturing contractor for countless electronic components and devices, including Apple’s iconic iPhones, make it an exceptionally attractive target for ransomware and data extortion syndicates. The company doesn’t just house its own intellectual property; it safeguards the crown jewels of its diverse customer base.
“Ransomware groups are increasingly targeting victims that can impact the supply chain, whether it is physical or software,” explains Allan Liska, a threat intelligence analyst at Recorded Future. “So it’s unsurprising that a company like Foxconn would be targeted, since it does manufacturing and holds sensitive data for so many companies around the world.”
Unmasking the Nitrogen Group
The Nitrogen group, which first surfaced in 2023, publicly listed Foxconn on its breach site this week. While not the most prolific or high-profile player in the ransomware landscape, Nitrogen has maintained a steady, albeit sometimes spiking, activity level, particularly towards the end of 2024. The group primarily focuses its attacks on entities in North America and Western Europe and is believed to have ties to the notorious ALPHV/BlackCat ransomware collective.
Ian Gray, vice president of intelligence at Flashpoint, notes, “While reports indicate that Nitrogen has been active since 2023, our first observation of their activity was in 2024, targeting Control Panels USA. We have observed approximately 50 victims since launching, primarily targeting manufacturing, technology, and retail. Manufacturing is one of the most-targeted sectors for ransomware in general.”
A History of Cyber Extortion
This isn’t Foxconn’s first rodeo with cyber extortionists. The company has a documented history of facing such attacks:
December 2020: DoppelPaymer’s Demand
A Mexican facility was hit by the DoppelPaymer ransomware group, which infamously demanded 1,804 bitcoin – a sum equivalent to roughly $34 million at the time.
May 2022: LockBit Strikes Again
Another Foxconn facility in Mexico experienced production disruptions following an attack by the LockBit group.
2024: Foxsemicon Integrated Technology Breached
Most recently, LockBit targeted Foxsemicon Integrated Technology, a Foxconn subsidiary, with defacements and data breach claims.
Nitrogen’s Flawed Encryption and the Broader Threat
Beyond data exfiltration, Nitrogen often deploys traditional ransomware to encrypt target systems. Intriguingly, researchers have discovered a critical design flaw in Nitrogen’s encryption mechanism, which was built using repurposed “Conti 2” code. This flaw renders encrypted data permanently irretrievable, even if the attackers were to provide a decryption key. It remains uncertain if this technical detail is influencing Foxconn’s current incident response strategy.
The Foxconn incident serves as a stark reminder of the persistent and evolving nature of digital security threats. Ransomware and data extortion continue to plague organizations across sectors, with attackers repeatedly targeting vulnerable entities and escalating their disruptive tactics. Just last week, thousands of US schools faced paralysis during year-end activities when education tech firm Instructure had to shut down access to its Canvas platform due to a breach by extortion actors.
The digital battleground is relentless, and even the most formidable global manufacturers like Foxconn are not immune. The ongoing saga underscores the critical need for robust cybersecurity defenses and proactive threat intelligence in an increasingly interconnected world.
Updated at 6:15 pm ET, May 12, 2026, to include comment from Flashpoint’s Ian Gray.
For more details, visit our website.
Source: Link
Leave a comment