TOMRA: July 27th update on cyberattack

TOMRA discovered a cyberattack against the company on July 16th. Investigation has shown some systems have been affected by the attack and additional systems were proactively disconnected to contain the attack. A team of internal and external resources is working around the clock to establish alternative solutions and to reestablish normal operations.

Today we are releasing additional information about the nature of the cyberattack. The status of our external services remains similar to the last update on July 25th, and we have continued to make progress reconnecting RVM’s. TOMRA continues to deliver our services to customers, minimizing the impact this attack has on them.

We are still investigating the cyberattack and will continue to provide information as we progress with the investigation and recovery. So far, Microsoft has analyzed the Azure platform and we have onsite and central investigator teams from Deloitte and TOMRA in Norway, USA, Canada, Germany and New Zealand. In this update we are sharing what we currently know, and we underline that it does not give a full and final picture of what has happened.

Target of the attack

Based on the investigation we have done so far; we see that the threat actor targeted the TOMRA domain and TOMRA internal systems. We have not identified that any TOMRA customers have been targeted or compromised. No confidential information has been identified leaked, and we see no evidence of encryption of data, nor have we received any ransom claims.

Timeframe of the attack

Our investigations currently show that the threat actor was in their reconnaissance phase July 10th and initiated the operational phase July 15th. Sunday, July 16th 05:51 CET, TOMRA Security Operations detected suspicious activity linked to our Montreal location. When this was discovered, TOMRA Security Operations started to proactively shut down services and disconnect sites to contain the attack.

Development of the attack

We have identified that the threat actor escalated privileges and used Windows built-in tools to traverse laterally and perform malicious operations on target systems. This included creating backdoors and changing passwords. During the investigations we have identified technical indicators for tools used by the threat actor, and we have developed an understanding of the techniques for exploiting our systems.

Investigation

Origin and identity of the attackers is not concluded, but we have leads we are following. We are working with authorities and regulators in relevant markets.

Some technical details about the attack

• The threat actor has used built-in Windows functionality, malicious powershell payloads and malicious binaries to exploit systems and to create command and control channels.
• Malicious activities have been identified performed in the following areas: on-premise Windows and VMware environments, and in Azure. Currently identified affected on-premise systems are in Canada, US and Norway.
• Some examples of tools used by the threat actor are, legitimate passwords, cold boot attacks and back door applications.

TOMRA’s team is working tirelessly to manage the situation. In addition, the company is supported by a global team from Deloitte ensuring senior competence and resource availability globally. The team will continue to work until the situation is resolved.