Foxconn confirms ransomware attack on US plants Apfelpatient

Apple's main contract manufacturer, Foxconn, has once again been the target of a cyberattack. The ransomware group Nitrogen claims to have stolen 8 TB of data – including alleged material from Apple, Google, Dell, and Nvidia. Foxconn has confirmed an attack on its North American locations but has not yet denied the extent of the damage.

This latest incident is not the first time Foxconn has been targeted: The Taiwanese company is a key node in Apple's global supply chain and has therefore been a popular target for extortionists for years. This time, at least two North American factories, in Wisconsin and Texas, are said to be affected. The attackers have released sample files to support their demands. So far, no Apple-specific content has been identified among them.

What is known so far about the attack

The Nitrogen ransomware group claims to have stolen 8 terabytes of data in the attack. This allegedly includes schematics and project details from various clients, specifically Apple, Google, Dell, and Nvidia. Foxconn itself, in a statement, refers to a "cyberattack" without specifying figures and explains that the affected factories are currently resuming normal production.

Initial reports of the outage surfaced on May 1st. On that day, the Wi-Fi reportedly went down around 7:00 a.m. at the Foxconn plant in Mount Pleasant, Wisconsin. Four hours later, the factory's core infrastructure was affected. Employees reported being instructed to shut down their computers and not log back in. Even the time-tracking terminals failed, forcing employees to temporarily record their hours on paper. In addition to the Wisconsin plant, a Foxconn facility in Houston, Texas, is also believed to be affected.

Why Apple is probably not directly in focus

The sample files Nitrogen has released so far, according to current information, contain no material that can be clearly linked to ongoing or upcoming Apple projects. This aligns with the profile of the affected factory: The Mount Pleasant facility primarily specializes in televisions and servers for data centers, not Apple hardware. Based on the current information, a data leak directly related to iPhones, Macs, or Vision Pros appears unlikely.

However, this is no reason for Apple, the client, to be relieved of security risks. As soon as a key supplier is compromised, all customers become targets for potential attackers – even if the specific targets of attack are located elsewhere this time.

Foxconn as a recurring destination

The current attack is part of a series dating back to 2020. At that time, a Foxconn facility in Ciudad Juárez, Mexico, was hit: The group DoppelPaymer encrypted servers, stole data, and demanded 1,804 Bitcoin – at the exchange rate then, approximately US$34 million. In May 2022, LockBit struck another Mexican Foxconn factory, temporarily halting production. In 2024, the subsidiary Foxsemicon Integrated Technology was targeted with defacement and allegations of data leaks.

The increasing frequency shows how attractive global contract manufacturers are to ransomware groups: many end customers, many locations, high complexity – and therefore a correspondingly large attack surface.

The larger development

Supply chain security is no longer a side issue, but a strategic concern for all major tech companies. Apple has demonstrably invested in its own security structures in recent years, including through its joint initiative with Anthropic to hunt for vulnerabilities. However, when it comes to critical hardware infrastructure outside its own premises, the company inevitably remains dependent on the security standards of its partners.

Added to this is the geopolitical pressure surrounding Apple's manufacturing base: While China is increasingly exerting pressure on Apple's chip manufacturer TSMC, cyberattacks like the recent Foxconn incident make it clear that even relocating production to North America does not automatically guarantee security. Ransomware operates according to a clearly recognizable pattern: intrusion via a vulnerability, encryption of critical systems, extortion with a ransom demand – a scheme that fits the approach taken at the Foxconn plant exactly.

Foxconn's reaction and the status quo

Foxconn itself is remaining publicly tight-lipped. The company only confirmed to WIRED that individual factories were affected and that production is currently restarting. There has been no statement regarding the extent of the data breach, the amount demanded by the attackers, or any potential ransom negotiations. The company is also not disclosing whether any employee personal data or customer trade secrets were compromised.

It is currently unclear whether, in what form, and within what timeframe Apple will issue a statement. The company traditionally remains reserved regarding incidents at its suppliers, as long as no specific product data or customer information is involved.

What will remain from the Foxconn incident

The renewed attack on Foxconn makes it clear that even highly professional suppliers are constantly targeted by organized ransomware groups. For Apple, the immediate danger in this specific case remains limited because the affected factory does not produce any key Apple products. Strategically, however, the incident remains a warning sign: the more distributed the manufacturing process, the more points of entry there are for attackers to exploit. (Image: Shutterstock / vectorfusionart)