Inside the Foxconn Cyber Attack: Ransomware & Stolen Data

Foxconn has been targeted in a ransomware attack that threatens to expose confidential data from major technology companies.

The Taiwanese electronics manufacturer creates products and components used by clients including Apple, Google, NVIDIA and Sony. 

On 11 May, the Nitrogen ransomware group claimed responsibility for an attack by publishing details on its dark web leak site. 

According to the threat actors, they have extracted eight terabytes of data spanning more than 11 million files from Foxconn systems.

The stolen data

“Some of Foxconn's factories in North America suffered a cyberattack,” said a Foxconn spokesperson talking to The Register.  

“The cybersecurity team immediately activated the response mechanism and implemented multiple operational measures to ensure the continuity of production and delivery. The affected factories are currently resuming normal production.”

The company did not confirm any other claims made by the hackers. 

The ransomware group claims the stolen data includes confidential information belonging to Foxconn customers.

In an online post, Nitrogen named Apple, Dell, Google, Intel and NVIDIA, stating that projects and drawings from these companies are among the compromised files.

The threat actors published schematics, guidelines and statements as proof of the data theft. 

Tech Radar noted that Foxconn employees first experienced difficulties connecting to Wi-Fi. Workers either returned home or switched to paper-based operations following the connectivity issues.

A history of attacks

Foxconn has experienced multiple ransomware incidents over the past four years.

DoppelPaymer targeted the company in December 2020, causing operational disruption.

Lockbit attacked a Foxconn manufacturing facility in Mexico in 2022.

Another Lockbit attack hit Foxsemicon, a Foxconn subsidiary, in 2024.

Supply chain risks

"As a major electronics manufacturing partner to some of the world's largest technology firms, Foxconn represents a high-value target for cybercriminals," says James Neilson, SVP of Global at OPSWAT.

"Its central role in hardware production means a single compromise can cause widespread operational disruption and sensitive data exposure."

"While production delays may frustrate customers, the greater concern is the reported theft of confidential data by the Nitrogen ransomware group," James says.

"If attackers accessed proprietary instructions, project files and technical drawings from leading technology companies, the material could be leveraged for industrial espionage, vulnerability discovery, supply-chain compromise and counterfeit hardware production."

Attacks on operational infrastructure can have effects that extend beyond the initial target.

The theft of technical specifications and design files could enable multiple forms of exploitation by threat actors or competitors.

"Although the full scope of the incident has not been confirmed, Nitrogen ransomware operators typically gain access through phishing emails, fake software download sites, malvertising and stolen login credentials," James says.

"This is why detecting and neutralising hidden threats by managing data flows is key.

"By inspecting files in transit across devices, users and the broader digital supply chain, organisations reduce the likelihood and impact of service disruptions and data breaches."