Key Points
- Foxconn confirmed it was hit by a ransomware attack from the Nitrogen group, which alleges it stole 8TB of data tied to major customers including Apple, Nvidia, Google, AMD, and Intel.
- The incident is part of a growing trend toward of supply‑chain attacks, where threat actors target central vendors to indirectly gain access to high‑value enterprise data and cause widespread operational disruptions.
- IANS Faculty warn these attacks will continue to increase, as downtime at manufacturers makes attacks more damaging for victims and more profitable for threat actors.
Foxconn Confirms Cyberattack by Nitrogen Ransomware Group
The world’s largest electronics manufacturer, Foxconn, confirmed some of its North American factories were hit by a cyberattack earlier this week.
The Nitrogen ransomware group claimed responsibility for the attack and said it stole 8TB of data and over 11 million documents from Foxconn's systems.
Foxconn has over 900,000 employees in 24 countries. It manufactures products for a wide range of customers, including Apple, Nvidia, Google, AMD, and Intel -- all companies Nitrogen claims to have stolen data from.
The Nitrogen ransomware operation was first identified in 2023. Enterprises like Foxconn aren’t its typical target. In the past, Nitrogen focused on attacking mid-sized operations -- ones big enough to have a significant supply chain impact but small enough to have security gaps due to limited resources or investment.
Nitrogen often uses a formula for its attacks, similar to what was used against Foxconn, according to IANS Faculty Ismael Valenzuela, who has been tracking Nitrogen as VP of Threat Research and Intelligence at Arctic Wolf.
"Nitrogen stands out in how it gains access, using malicious online ads to lure users into downloading trojanized software, which points to a more controlled and intentional approach than opportunistic phishing campaigns. Once inside, they follow a consistent playbook, stealing data before encrypting systems so they have leverage on multiple fronts, combining operational disruption with the threat of sensitive information being exposed." Ismael Valenzuela, IANS Faculty.
Big Picture
Attacking vendors gives threat actors indirect access to a wide array of enterprise data for a fraction of the effort. This incident is a prime example: Nitrogen was able to access to high-value data -- including confidential instructions, projects and drawings -- from many of the world's most influential organizations in a single attack.
"Companies like Foxconn being targeted by ransom groups is of critical interest to their customers, of course, as companies like Apple are probably extremely interested in not having their private data leaked. Any kind of relationship with a manufacturer will require them to have confidential intellectual property about your products, making this quite concerning." Guillaume Ross, IANS Faculty.
Ransomware attacks targeting supply chains have a significant impact because they disrupt entire ecosystems of customers and manufacturers. When a vendor like Foxconn is compromised, the effects cascade across global production lines and expose sensitive intellectual property – making the payoff huge for a threat actor looking to cause large-scale operational disruption.
"The more the hardware supply chain is constrained, the more impactful downtime at any factory will be. Essentially, if you produced 90% of the time and had a small outage, it might not instantly turn into lost revenue. But if you are running 24/7, non-stop, any downtime is a loss in revenue. And for this reason, I believe threat actors will ask for ransom from such organizations at an increased frequency in the next few months." Guillaume Ross, IANS Faculty.
Ransomware attacks like these will continue to increase. Traditional compliance-focused approaches to third-party risk may leave gaps as organizations become more dependent on interconnected vendors and platforms.
IANS Faculty Recommendations
- Prioritize and continuously manage critical vendors: Categorize vendors where you share sensitive data or have high operational reliance as critical and focus due diligence and monitoring there. Move beyond point-in-time onboarding reviews toward continuous and comprehensive assessments, potentially using security ratings / third-party risk intelligence tools.
- Extend IR playbooks to vendor-triggered scenarios: Update IR plans with procedures for when a critical vendor service goes down: how quickly you can take services offline, alternate access methods, and who to notify.
- Contract for resilience and response Put clearer security and incident requirements into contracts: specific standards, incident response timelines, and audit rights/expectations. Review agreements for accountability/penalties and ensure roles are clear during major outages or security events
- Engineer operational workarounds for vendor disruption: Plan alternative access/continuity options (e.g., secure browsers/VDI, cloud failover -- especially for authentication dependencies) and test them. For vendors with agents in your environment, require controlled deployment practices.
- Pre-arrange help you’ll need during extortion: Verify coverage for third-party outages/security events and understand notification/authorization steps so you don’t jeopardize reimbursement during a crisis. Maintain up-to-date threat intelligence so you can identify ransomware/tooling and potentially find non-payment recovery options.
Authors & Contributors
Emily Dempsey, Author, IANS News
Ismael Valenzuela, IANS Faculty
Guillaume Ross, IANS Faculty
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our News & blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.