BERLIN — Nearly nine months after German supplier Eberspaecher Group fell victim to a large-scale cyberattack, the company is finally eliminating the remaining effects from its 80 sites worldwide and has made its IT systems more secure.
The attack cost the company a “mid-double-digit million amount,” Eberspaecher CEO Martin Peters told journalists.
This figure is likely to be between 40 and 60 million euros ($40 million to $60 million), according to a report in Automotive News Europe sister publication Automobilwoche.
Eberspaecher produces exhaust technology, air conditioning and heating systems. It has 80 locations in 29 countries and employs nearly 10,000 people. Volkswagen Group, BMW, Stellantis are among its customers.
The supplier’s IT monitoring systems first registered suspicious activity on October 24, 2021, when perpetrators deployed ransomware to gain access to company systems.
To prevent the possible spread of the attack within the company and externally, the company shut down all networks and servers.
At this point, some of the data had already been tapped and encrypted. Employees could not be reached by phone or email for weeks.
“Of course, blackmail of this kind is all about ransom,” says Peters.
He declined to reveal how high the demands were and whether ransom money was ultimately paid, but he added, “I can only say that we will not be blackmailed.”
An Eastern European group was responsible for the attack, using a ransomware called BlackMatter, which is based on a ransomware-as-a-Service (RaaS) model.
As there had already been an attack on Colonial Pipeline in the U.S. with a predecessor program, U.S. authorities were alerted and were able to support the German police in the investigation. According to media reports, the cybercrime group has since disbanded, not least because many of its members have apparently been arrested.
As soon as the attack became known, charges were filed, Eberspaecher called in the police.
“We were lucky that the local police chief takes cybercrime very seriously and that the authorities are well positioned,” said Peters.
Two years earlier, Pilz, a medium-sized German automation specialist from Ostfildern near Stuttgart, had also fallen victim to a hacker attack.
The police had significantly upgraded their capabilities following that attack, Peters said. “They were really very well networked,” he added.
Attack aftermath
For Eberspaecher, the first priority was to secure production in the 50 plants and to continue serving customers.
The company works with almost all major vehicle manufacturers, both in the passenger car and commercial vehicle sectors.
Employees worked almost around the clock in the first few weeks to keep the assembly lines running, replacing processes with analog workarounds. “That welded us together as a workforce and was a great experience,” Peters said.
He said none of Eberspaecher’s customers had to stop production because of a lack of parts.
After a painstaking audit, the IT infrastructure was gradually put back into operation over a period of weeks and months.
A forensics team also checked which areas of the network were affected and cleaned up the data. In the process, parts of the network and structure were rebuilt in parallel and made even more secure.
Peters said that while IT systems have been now been further optimized, from his perspective, there is no “absolute security” against such attacks.
“When you see how much we as a company invest in data-driven processes and business models, it can make you a little anxious,” he said.