A ransomware group has claimed the cyberattack against automotive supplier Yanfeng that impacted production at Stellantis NV this month — and the group is threatening to release “sensitive information” belonging to the auto supply giant.
Qilin, a ransomware operation known to breach firms in critical sectors via phishing emails, added Yanfeng to its extortion portal Monday, as first reported by BleepingComputer, a cybersecurity website that tracks ransomware attacks. On the portal are blurred screenshots “confirming that we have a lot of sensitive information in our possession which will be released in the coming days,” according to Qilin.
Yanfeng has not returned multiple requests for comment since Crain’s Detroit Business reported the cyberattack more than two weeks ago. Crain's Detroit Business is a sister publication of Plastics News.
The attack brought down Yanfeng’s website Nov. 13. The Chinese auto parts supplier manufactures interior components, seating and electronics for major automakers including the Detroit 3. It has multple plastics processing systems in house, including injection molding.
Stellantis suffered production disruptions at assembly plants in North America the week of the attack, though the automaker has not detailed the extent of it. Production appeared to be back to normal within a few days, as spokeswoman Ann Marie Fortunate told Crain’s there were no disruptions Nov. 16. The company has “no further information to share on the cyber-attack,” she said Nov. 30.
The attack also put General Motors Co. on alert, but its production was not derailed. “We have not experienced any significant effects to our operations as a result of the situation,” GM spokesman Kevin Kelly told Crain’s on Nov. 15.
Cyberattacks have become common against a host of organizations from universities to governments. Data-rich health care companies are increasingly being attacked, while manufacturers big and small are also prime targets. Japanese giant Denso and German behemoth Continental AG, both of which have bases in Michigan, were hit last year, while Zeeland-based supplier Gentex Corp. suffered a cyberattack earlier this year.
While operations at Yanfeng appear to have stabilized, that doesn’t mean the trouble is over. Cyberattacks can have devastating consequences, said Steve Wernikoff, litigation and compliance partner at Honigman LLP who co-leads its data, privacy and cybersecurity service group as well as its autonomous vehicle group.
In the case of Yanfeng, it appears the ransomware group has moved on to the extortion phase of the attack, where it is common to demand a six- or even seven-figure payment to not release the sensitive information. “The vendor needs to gauge their liability to these criminals,” Wernikoff said. “You ultimately have to do a cost benefit analysis with a bunch of different factors in determining whether you choose to make a payment.”
Automotive suppliers are in a particularly vulnerable position because a data breach could compromise others in the supply chain, said Wernikoff, who has advised auto suppliers that have been attacked by ransomware but is not involved in the Yanfeng situation. Even once production resumes, an attacker could have stolen sensitive customer information or even have breached a customer’s network if it shares direct access with the affected supplier.
“It’s not uncommon if they have a deep relationship with the vendor,” he said. “That may be your customer data, that may be your employee data. If it’s publicly disclosed it could cause reputational risk or other damage to these companies.”
Qilin identified 12 victims of its ransomware attacks from July 2022 to May 2023, focusing mainly on critical sectors, according to Group-IB, a computer software firm focused on fighting cybercrime. Qilin operates on a ransomware-as-a-service model, meaning it can be purchased on the dark web and deployed against whatever network the user chooses.
Ransomware is a crime, but it’s also big business. In 2021, U.S. banks processed a peak $1.2 billion in ransomware payments, according to the U.S. Treasury Department’s most recent data. Payments are believed to have decreased significantly in 2022 due in part to federal sanctions, refusal to pay and more sophisticated defenses by companies.
In response to better defenses, hackers have also upped their cunning. Traditionally, a cyber attacker would breach a firm’s data, encrypt it and demand payment to decrypt it. “Over time, companies have largely in response to this issue been doing a better job of backing up their systems,” Wernikoff said. “That can be a pretty good defense.”
Now, it is common for attackers to engage in “double extortion,” where they cull sensitive information from the breached data and threaten to make it public if a payment is not made, as appears to be the case in Yanfeng.
As in almost every business deal, victims often will negotiate for a lower price. If the company deems the data release too damaging, “a series of business negotiations will take place where the company will try to get a better deal,” Wernikoff said. There’s always the risk that attackers will release the information anyway, but that’s bad for business because then future victims won’t pay.
Companies often have insurance to hedge against cyberattacks, and they typically bring in a third-party data forensic firm to determine the extent of damage and exposure, Wernikoff said. The problem is handled one way or another, but “often times a company’s response to these attacks are not public and not really known.”