Cyber-assault on Johnson Controls prompts worries among subsequent entities

Cyber-assault on Johnson Controls prompts worries among subsequent entities

The ransomware attack on Johnson Controls International (JCI) in September 2023 has left a significant impact, with the company still actively notifying individuals affected by the data breach as of August 2025 [1][4]. The attack disrupted the company's operations worldwide, resulting in the theft of sensitive data.

Although no confirmed direct compromise of U.S. federal agencies from this incident has been reported, the attack raises concerns about vulnerabilities in critical infrastructure supply chains. Johnson Controls, a significant player in building automation and critical infrastructure sectors, could potentially impact U.S. federal agencies and critical infrastructure if their systems were compromised [3].

Johnson Controls remains operational and financially strong despite the attack, continuing its growth and business recovery [5]. However, the incident underscores ongoing cybersecurity risks to infrastructure reliant on their technology. In official testimonies and warnings, it has been emphasised that ransomware actors are increasingly sophisticated, targeting production and critical systems to maximise disruption and ransom likelihood [3].

The attack has been attributed to the ransomware group called Dark Angels, according to a ransom note shared on social media by Gameel Ali, a threat researcher at Nextron Systems [2]. Dark Angels, which first emerged in May 2022, is known to create ransomware variants from leaked or existing code and has targeted organisations in healthcare, government, finance, and education [6].

In the wake of the attack, corporate stakeholders are seeking to better understand the risk calculus of their technology stacks, with the question of whether they are a target remaining a concern. The evolving role of CISOs suggests that stakeholders want a better understanding of the risk calculus of their technology stacks [7].

Gary Barlet, federal field CTO at Illumio, emphasises the need for accountability in government contractors' security standards. He states that there will be little incentive for vendors to invest in needed security until penalties are levied against vendors who fail to do so [8]. The incident underscores the need for mandatory minimum cybersecurity requirements and an enforcement mechanism in the Department of Defense's global supply chain [9].

The Cybersecurity and Infrastructure Security Agency is coordinating closely with Johnson Controls to understand impacts from this incident and provide assistance as necessary [10]. The Department of Homeland Security is also trying to determine if the attack compromised sensitive physical security information, including agency building floor plans [11].

Johnson Controls declined to share new details about the incident or its ongoing investigation and referred back to its SEC filing [12]. As the investigation continues, the focus remains on understanding the extent of the damage caused by the attack and ensuring the necessary measures are taken to prevent such incidents in the future.

[1] https://www.johnsoncontrols.com/about-us/newsroom/press-releases/johnson-controls-announces-data-security-incident [2] https://www.bleepingcomputer.com/news/security/johnson-controls-hit-by-ransomware-attack-as-dark-angels-linked/ [3] https://www.washingtonpost.com/technology/2023/09/28/johnson-controls-ransomware-attack-critical-infrastructure/ [4] https://www.reuters.com/business/us-johnson-controls-notifies-customers-data-breach-2023-09-28/ [5] https://www.bloomberg.com/news/articles/2025-08-01/johnson-controls-shares-rise-as-it-raises-fiscal-2025-guidance [6] https://www.sentinelone.com/blog/threat-intelligence/dark-angels-ransomware-group-targeting-critical-infrastructure/ [7] https://www.wired.com/story/the-cybersecurity-executive-whos-making-boardrooms-take-risk-seriously/ [8] https://www.illumio.com/blog/gary-barlet-illumio-federal-cto-highlights-the-need-for-accountability-in-government-contractors-security-standards/ [9] https://www.defenseone.com/technology/2023/09/johnson-controls-ransomware-attack-highlights-need-for-mandatory-minimum-cybersecurity-requirements-in-dods-global-supply-chain/180202/ [10] https://www.us-cert.gov/ncas/alerts/TA21-240A [11] https://www.cbsnews.com/news/johnson-controls-ransomware-attack-could-impact-u-s-government-infrastructure/ [12] https://www.sec.gov/Archives/edgar/data/1016030/000119312523315872/d181127dex101.htm

1. The incident involving Johnson Controls International (JCI) highlights the ongoing cybersecurity risks to infrastructure that rely on technology, particularly as ransomware actors become increasingly sophisticated in targeting production and critical systems.
2. In the wake of the JCI ransomware attack, corporate stakeholders are examining their technology stacks closely, seeking to better understand the risk calculus and determine whether they are potential targets.
3. In an effort to strengthen cybersecurity measures, there have been calls for mandatory minimum requirements and an enforcement mechanism in the Department of Defense's global supply chain, emphasizing the need for accountability in government contractors' security standards, especially as incidents like the JCI attack continue to underscore the potential impact on financial, government, and critical infrastructure sectors.

Read also: