North American auto supplier Yanfeng claimed by Qilin ransom group


The November 13th ransomware attack on Yanfeng – one of the top automotive parts suppliers for GM and Chrysler, Jeep, Dodge, and Ram in North America – has been claimed by the Qilin ransom gang.

The attack on the China-based supplier had an immediate ripple effect on the auto manufacturing supply chain in North America, causing interruptions at several US factories, including those run by global automaker Stellantis.

Stellantis (formerly Fiat Chrysler until a 2023 merger with the French PSA Group) has 22 manufacturing facilities in the United States, six in Canada, and seven in Mexico.

ADVERTISEMENT

“Due to an issue with an external supplier, production at some of Stellantis’ North America assembly plants has been disrupted. We are monitoring the situation and working with the supplier to mitigate any further impact to our operations,” Stellantis manufacturing & labor spokesperson Ann Marie Fortunate told Cybernews on November 15th.

Stellantis auto manufacturer
Stellantis N.V. is a multinational automotive manufacturing corporation headquartered in Amsterdam. Stellantis has 22 factories in the US, six in Canada, and seven in Mexico. Image by Jonathan Weiss | Shutterstock.

Cybernews had also reached out to Yanfeng, but the company did not respond and has made no public statement on the attack. At the time, GM had announced it was monitoring the situation closely.

The Yanfeng website was down for more than a week, and Jeep owners had reported that customer service lines were also down for days.

“Factory production of Chrysler, Dodge, Jeep etc is still paused in North America due to the hack of Yanfeng,” security researcher Kevin Beaumont posted on X last week.

Yanfeng attack linked to Citrix bug

New information posted by Beaumont points to the threat actors taking advantage of a recently exploited zero-day vulnerability known as the “Citrix Bleed.”

ADVERTISEMENT

The Citrix bug is thought to have been commandeered by hackers over the summer, just days after the bug was disclosed by the cloud computing company.

Citrix had released a critical fix for the bug in October, but by then, cybercrooks had already infiltrated hundreds of companies by installing backdoors in systems that remained operable even after patching.

The flaw was first abused by the LockBit ransom gang in a spate of attacks carried out this November on major names such as Boeing, ICBC Bank, Allen & Overy, and DP World Australia.

Beaumont, one of the first researchers to connect the dots between the November attacks, Citrix Bleed, and LockBit, hinted that two other ransom gangs were getting in on the action.

It now appears that one of those group’s is none other than threat actors known as Qilin – which similar to LockBit – also operate as a ransomware-as-a-service (RaaS) gang.

Qilin's big get

Qilin, also known by the moniker Agenda, posted Yanfeng on their dark leak site Monday, November 27th, along with an alleged sample of 23 photos depicting stolen data.

“Below are screenshots confirming that we have a lot of sensitive information in our possession Which will be released in the coming days,” the gang posted on its blog.

Qilin’s photos would not load for Cybernews, so we are unable to confirm the sampling, and the gang did not disclose the amount of data it may have.

Yanfeng Qilin dark blog
Qilin dark leak site
ADVERTISEMENT

Yanfeng primarily supplies auto interiors including seating, door panels, instrument panels, and floor consoles, as well as passive safety.

Yanfeng has more than 240 locations and approximately 57,000 employees worldwide, according to its website, providing a potential treasure trove of sensitive data.

The company also has a thriving technology sector, with 14 R&D centers where engineers and software developers design innovative cockpit electronics and smart products for present-day and future vehicles.

Meantime, a March undercover investigation by Group-IB, released just last week, revealed the inner workings of the Qilin gang.

The group was first noted in 2022 and often uses phishing emails to target its victims.

Believed to have links to Russia, Group-IB researchers discovered how the group's affiliate payment structure is laid out.

“For ransomware payments totaling $3m or less, affiliates earn 80% of the payment. For payments of more than $3m they get 85%,” Group-IB said.

The research also revealed that RaaS affiliates can configure the gang’s ransomware and personalize the ransom note to include the company name, ransom amount, timezone, and more with Qilin's customizable malware builder.

According to a Q2 2023 Ransomware Report by threat intelligence firm Cyble, ransomware attacks on the global manufacturing sector rose a whopping 130% in the first half of 2023.

ADVERTISEMENT