Crown equipment dealership
Image: DigitalIceAge

Forklift manufacturer Crown Equipment confirmed today that it suffered a cyberattack earlier this month that disrupted manufacturing at its plants.

Crown is one of the largest forklift manufacturers in the world, employing 19,600 people and having 24 manufacturing plants in 14 locations worldwide. 

Since approximately June 8th, Crown employees have been reporting that the company was breached and all IT systems were shut down, with employees told not to accept MFA requests and to be wary of phishing emails.

With IT systems down, employees have been unable to clock in their hours, access service manuals, and, we are told, deliver machinery in some cases.

In an email sent to employees yesterday and seen by BleepingComputer, Crown finally confirmed that they suffered a cyberattack by an “international cybercriminal organization”.

A portion of this email is shared below:

“We know that the evolving situation with the disruption in our IT operations has created many additional questions.

Today, we can confirm that Crown’s IT system was hacked by an international cybercriminal organization which required us to shut down our operating systems so we could investigate and resolve the matter.

While we always want to communicate as timely as possible, in this situation it has been important that we do not provide the hackers information they could use against us.

We determined that many of the security measures Crown had in place were effective in limiting the amount of data the criminals were able to access. We also learned that the hackers gained entry into our system because an employee failed to adhere to our data security policies by allowing unauthorized access to their device.

We are working with some of the world’s best experts in cybersecurity matters and we have enlisted the aid of the FBI. With the help of these experts we are continuing to analyze the data that was affected. So far, we have not seen any signs that the personal information of our employees was targeted or that the information to conduct identity theft was compromised.” – Crown email to employees

As first reported by BornCity, it is believed that the breach occurred after an employee fell for a social engineering attack and allowed a threat actor to install remote access software on their computer.

Employees told BleepingComputer that the most frustrating part of this incident had been the lack of transparency and communication they received from the company.

Employees were originally told they would need to file for unemployment or use their banked paid time off (PTO) and vacation days if they still wanted to get paid for the missed days.

However, BleepingComputer was told that this changed and employees would receive their regular pay as an advance, with the ability to make up for the lost hours.

Today, Crown publicly confirmed the cyberattack for the first time, stating that its ongoing security measures played a role in limiting the effects of the attack.

“The company is still working through the disruption caused by the attack and is making progress toward transitioning to normal business operations. Crown is also working closely with its customers to help reduce the effect the incident may have on their operations,” reads a statement shared with BleepingComputer.

The company is now slowly bringing systems back online, though manufacturing remains disrupted.

While Crown has not shared what type of cyberattack they suffered, they did state it was caused by an “international cybercriminal organization,” which means the company likely suffered a ransomware attack.

Unfortunately, if it was ransomware, it also means that corporate data was likely stolen in the attack and will be leaked if a ransom is not paid.

BleepingComputer asked Crown if ransomware was behind the attack, but they said no additional information was available besides what is in today’s statement.

Source: www.bleepingcomputer.com