An apparent ransomware attack on several of Foxconn’s North American facilities is the latest reminder that manufacturing companies are among the most targeted in cybercrime, because of their central role in high-value supply chains and low-tolerance for downtime.
Foxconn this week admitted that a cyberattack had affected operations at some of its North American facilities. In a brief statement to Dark Reading, the world’s largest contract electronics manufacturer stopped short of describing the attack as a ransomware incident, and did not disclose the scope or the impact of the breach, but confirmed that a malicious actor was behind the incident.
Nitrogen Ransomware Gang Claims Credit for Breach
“Some of Foxconn’s factories in North America suffered a cyberattack,” said the company, whose clients include Apple, Nvidia, Amazon, Dell, Google, Huawei, Microsoft, Nintendo, Sony, and Xiaomi. “The cybersecurity team immediately activated the response mechanism and implemented multiple operational measures to ensure the continuity of production and delivery. The affected factories are currently resuming normal production.”
Earlier this week, ransomware group Nitrogen claimed credit for the attack on its leak site, according to threat intelligence firm Hackmanac. The threat actor claimed it had exfiltrated more than 11 million files, amounting to some 8TBs of data, from Foxconn, Hackmanac said. The stolen data allegedly included “confidential instructions, internal project documentation, and technical drawings related to projects involving Intel, Apple, Google, Dell, Nvidia, and other companies,” Hackmanac said.
Sofia Scozzari, CEO and founder of Hackmanac, tells Dark Reading that the sample files that Nitrogen uploaded to its leak site allegedly included Foxconn financial records, engineering schematics, motherboard and PCB diagrams, server platform documentation, power distribution guidelines, thermal and liquid leakage sensor designs, I3C/I2C topology specifications, and manufacturing process documents.
“The exposed materials also reference confidential technical documentation associated with JPMorgan Chase, Google, Intel, NVIDIA, AMD, ASPEED, Renesas, Hewlett Packard Enterprise, and Tencent,” Scozzari says. At this stage, there is no confirmation that Foxconn paid a ransom, she says. “However, the company is still listed on the Nitrogen ransomware group’s onion leak site, which suggests that either negotiations are ongoing, or the company has decided not to pay the ransom.”
Manufacturers: A Prime Target for Ransomware
It’s unclear how Nitrogen actors gained initial access to Foxconn. But previous investigations into Nitrogen-related campaigns have shown that the group uses SEO poisoning and fake software downloads to distribute malicious installers, often impersonating tools such as Advanced IP Scanner, AnyDesk, WinSCP, or Cisco AnyConnect, Scozzari says.
The attack is one of hundreds that have targeted manufacturing companies in recent months. Data that Comparitech has compiled show as many as 600 ransomware attacks on manufacturing companies so far this year, with 55 of those victims confirming the incidents. For those with available data, median ransomware payments hover at $400,000, according to Comparitech.
Rebecca Moody, head of data research at Comparitech, says manufacturers are a high-value target for ransomware groups because of the important role they play as suppliers to other companies, and also for the data they hold. With the attack on Foxconn, Nitrogen had two chances of receiving a ransom, she says: one for decrypting the systems, and the other for deleting stolen data belonging to Foxconn’s clients.
“We have seen an influx of attacks on manufacturers over the last year or so, which may suggest they’ve been pinpointed by some gangs as an ‘easier’ and more lucrative target,” Moody says. A number of gangs appear to have shifted their focus away from previous key targets, like healthcare, to focus on manufacturers.
Attackers know that manufacturers can ill afford downtime, and are perhaps more likely to succumb to ransom payments to have key systems restored, especially when they are part of larger supply chains.
“They may also deal with a number of different and high-profile clients — as Foxconn does — providing hackers with a central target to access data from multiple companies and hold this to ransom, too,” Moody says. “This supply chain disruption/access to sensitive data from multiple companies also makes them a prime target for state-sponsored hackers — as we saw with Stryker recently,” she adds.
In a prepared comment, Ismael Valenzuela, Arctic Wolf’s vice president of labs threat research and intelligence, described Nitrogen’s Foxconn attack as being different from its usual and highly consistent focus on smaller and medium sized firms tied to industrial operations and supply chains. “These are businesses that keep supply chains running but often lack the depth of security resources found in large enterprises, making them reliable and repeatable targets,” he said. Nitrogen’s victim profile also shows a clear targeting of shared vendors and common access points, such as managed service providers, remote access tools, or widely used software platforms that connect multiple companies, he added.
Arctic Wolf’s 2026 “Threat Report” revealed manufacturing to be the most heavily targeted sector for ransomware, with nearly 70% more victims than the next most targeted industry. The targeting reflects reflecting the focus of attackers on organizations where downtime directly halts revenue and production, according to the cybersecurity vendor.
Don’t miss the latest Dark Reading Confidential podcast, How the Story of a USB Penetration Test Went Viral. Two decades ago Dark Reading posted its first blockbuster piece — a column by a pen tester who sprinkled rigged thumb drives around a credit union parking lot and let curious employees do the rest. This episode looks back at the history-making piece with its author, Steve Stasiukonis. Listen now!

Comments are closed