Inside the Foxconn Cyberattack by Nitrogen Ransomware Group

A ransomware attack has struck the world’s largest electronics manufacturer. 

The victim currently being extorted is Foxconn, the Taiwanese semiconductor giant that manufactures products and components used across the global technology supply chain, with clients including Apple, Google, NVIDIA and Sony.

The first public indication of the breach was on 11 May, when the Nitrogen ransomware group claimed responsibility for the attack by publishing details on its dark web leak site.

The amount of data that has allegedly been stolen is major. According to the ransomware group, eight terabytes of data has been taken from Foxconn, spanning more than 11 million files. 

Worryingly, the cybercriminals say that this includes confidential data belonging to Foxconn customers as well. 

In an online post claiming responsibility for the attack, Nitrogen names Apple, Dell, Google, Intel and NVIDIA, saying that projects and drawings from these giants are among the stolen data. 

The group has published some schematics, guidelines and statements as proof of leakage. 

Ransomware disruption

Early signs of the cyber attack reportedly started on Friday, with Tech Radar noting that several Foxconn employees had trouble connecting to Wi-Fi, following which employees returned home or to the old school pen and paper operations. 

“Some of Foxconn's factories in North America suffered a cyberattack,” said a Foxconn spokesperson talking to The Register.  

“The cybersecurity team immediately activated the response mechanism and implemented multiple operational measures to ensure the continuity of production and delivery. The affected factories are currently resuming normal production.”

The company did not confirm any other claims made by the hackers. 

History of attacks

Foxconn is no stranger to ransomware. Back in December 2020, DoppelPaymer attack targeting the company wreaked destruction. 

Foxconn was attacked by Lockbit, at a manufacturing facility in Mexico in 2022. Another Lockbit attack later ravaged Foxsemicon, a Foxconn subsidiary in 2024.  

“As a major electronics manufacturing partner to some of the world’s largest technology firms, Foxconn represents a high-value target for cybercriminals,” says James Neilson, SVP of Global at OPSWAT. 

“Its central role in hardware production means a single compromise can cause widespread operational disruption and sensitive data exposure.

“While production delays may frustrate customers, the greater concern is the reported theft of confidential data by the Nitrogen ransomware group.”

“If attackers accessed proprietary instructions, project files and technical drawings from leading technology companies, the material could be leveraged for industrial espionage, vulnerability discovery, supply-chain compromise and counterfeit hardware production,” James explains. 

Major attacks that target operational infrastructure can therefore have rippling effects that far extend the scope of the attack. 

James says: “Although the full scope of the incident has not been confirmed, Nitrogen ransomware operators typically gain access through phishing emails, fake software download sites, malvertising and stolen login credentials. 

“This is why detecting and neutralising hidden threats by managing data flows is key.

“By inspecting files in transit across devices, users and the broader digital supply chain, organisations reduce the likelihood and impact of service disruptions and data breaches.”