Johnson Controls International (JCI) spent $27 million remediating a September 2023 ransomware attack against its systems — an attack that government officials warned at the time could threaten physical security.
According to a document filed this week with the U.S. Securities & Exchange Commission (SEC), the building automation, HVAC and fire protection giant discovered the attack on the weekend of September 23, after receiving reports of system outages. This was a ransomware attack that took down internal IT infrastructure and allowed attackers to exfiltrate company data.
The document did not mention which group JCI determined was behind the cyberattack, but researchers at the time attributed it to Dark Angels using a custom VMware ESXi cryptographer.
“The company has implemented its incident management and response plan and business continuity plans, including the implementation of remediation measures to mitigate the impact of the incident and restore affected systems and functions,” JCI noted in SEC filingsadding that the $27 million price tag for the initiative takes into account cyber insurance payments and includes the cost of retaining outside cybersecurity specialists.
The statement notes that investigations and remediation efforts remain ongoing, “including analysis of data accessed, exfiltrated, or otherwise affected during the cybersecurity incident,” and as a result it is expected to spend more for recovery.
Contrary to fears launched by the Department of Homeland Security after the attack, JCI also said that “there is no evidence of any impact on its digital products, services and solutions, including OpenBlue and Metasys”, referring to its smart building and intelligence-based business lines artificial, which are often implemented in industrial environments and lead operational technology (OT) together with IT systems.