A cyber attack at Foxconn, the world’s largest electronics manufacturer, has disrupted operations at numerous North American factories.
Foxconn activated incident response protocols and implemented operational measures to ensure continued production and delivery after learning of the cyber attack.
“The cybersecurity team immediately activated the response mechanism and implemented multiple operational measures to ensure the continuity of production and delivery. The affected factories are currently resuming normal production,” the company stated.
Foxconn is a priority manufacturer for major brands, including Apple, AMD, and Nvidia. It operates over 230 factories across 24 countries worldwide, and reported annual revenue of over $260 billion in 2025.
Nitrogen ransomware group claims Foxconn cyber attack
The Nitrogen ransomware group has taken responsibility for the Foxconn cyber attack and claims to have stolen 8 terabytes of data and more than 11 million documents.
The documents the group claims to have stolen allegedly contain confidential instructions, projects, and drawings from various tech giants, including AMD, Apple, Google, Intel, and Nvidia. Other potentially affected corporations include Hewlett Packard Enterprise (HPE), JPMorgan Chase, ASPEED, Renesas, and Tencent.
The hackers have also published data samples, including product schematics, PCB designs, server platform documentation, guidelines, sensor designs, I3C/I2C topologies, manufacturing processes, and bank statements as proof.
Such information could enable attackers to discover product vulnerabilities or allow competitors to reverse-engineer products or create counterfeits. As a priority manufacturer for the West, the data leak could also enable state-sponsored actors to engage in industrial espionage.
Meanwhile, Foxconn says the cyber attack has been resolved and “the affected factories are currently resuming normal production.”
Neither Foxconn nor Nitrogen has disclosed how the cyber attack happened. However, the Nitrogen hacking group relies on SEO to distribute malware, including malicious counterfeits of Advanced IP Scanner, AnyDesk, WinSCP, and Cisco’s AnyConnect. The contract manufacturer has also not indicated whether it plans to pay extortion.
First discovered in 2023, Nitrogen is a double extortion group that targets manufacturing supply chains, construction, financial services, and technology. The hacking group used to be an initial access broker for other prolific ransomware gangs such as Blackcat/ALPHV before transitioning to an independent ransomware-as-a-service (RaaS) operation. It used the leaked Conti 2 builder code to create its encryptor.
“The Foxconn incident is the latest reminder that the boundary between IT compromise and operational disruption has effectively disappeared,” said Adrian Culley, Senior Sales Engineer, SafeBreach. “A ransomware crew using commodity techniques — malvertising, DLL sideloading, Cobalt Strike — was able to disrupt production at one of the world’s most sophisticated manufacturers and walk away claiming 8 TB of customer-sensitive technical data.”
“The Nitrogen group’s tradecraft is not novel. It is documented, mapped to MITRE ATT&CK, and within the capability of every mature security program to detect. The question every CISO should be asking this week is not ‘are we patched?’ — it is ‘have we validated that our controls actually stop this chain, end to end, in our environment?’,” added Culley.
Foxconn breached again
Foxconn has experienced numerous data breaches in the past. In 2024, the LockBit ransomware gang breached the company’s subsidiary Foxsemicon and stole 5 terabytes of data, including personal information. In 2022, LockBit ransomware also breached Foxconn at its Tijuana, Mexico, facility that supplies consumer electronics to California.
Much earlier in 2020, the DoppelPaymer ransomware group also breached Foxconn operations in the Americas and demanded 1804.0955 Bitcoins, worth about $34 million at the time, in ransom. The cyber attack occurred at a facility in Ciudad Juárez, Chihuahua, Mexico, and encrypted over 1,200 servers, disrupting the assembly and shipment of North American products.
The cyber attack also leaked over 100 GB of data and destroyed approximately 30 terabytes of backups to prevent the company from rebuilding its systems without paying the ransom.
