US construction giant unearths concrete evidence of cyberattack

Simpson Manufacturing Company yanked some tech systems offline this week to contain a cyberattack it expects will "continue to cause disruption."

The California-headquartered engineering biz, which produces wood and concrete construction products designed make structures more safe, confirmed the digital assault on the same day it was spotted.

"On October 10, 2023, Simpson Manufacturing Co., Inc. experienced disruptions in its Information Technology (IT) infrastructure and applications resulting from a cybersecurity incident," it states in an SEC filing [PDF].

"After becoming aware of the malicious activity, the Company began taking steps to stop and remediate the activity, including taking certain systems offline. The Company is working diligently to respond to and address this issue. The incident has caused, and is expected to continue to cause, disruption to parts of the Company's business operations."

The statement indicates a possible ransomware infection that the business is endeavoring to overcome but this remains unconfirmed at the time of writing. It is certainly a rich target for criminals, operating multiple research labs and holding thousands of patents and trademarks.

It employs more than 5,000 people across global operations, has a market capitalization of $6.1 billion, and turned over more than $2.1 billion in sales in the last full calendar year. The majority of its products are made in the US but some are produced in Europe, Canada, and Asia.

As is typical in these situations, Simpson Manufacturing has brought in third-party specialists to "support its investigation and recovery efforts." It added: "The investigation to assess the nature and scope of the incident remains ongoing and is in its early stages."

• Casino giant Caesars tells thousands: Yup, ransomware crooks stole your data
• MOVEit breach delivers bundle of 3.4 million baby records
• Datacenter cabling biz Volex confirms digital break-in
• T-Mobile US exposes some customer data – but don't call it a breach

For years it seemed as though the construction industry was "immune" to security attacks, according to a research paper [PDF] by the Association of General Construction of America in 2021. Yet that "perspective no longer carries weight" and the sector in general is now "one of the leading industries impacted by data security incidents."

Why? "Threat actors know that the construction industry is in some areas behind in data security and privacy initiatives. This is in large part because this industry, to date, avoided heavy regulation in data security and privacy laws. The limited regulation and guidance in the construction industry may have contributed to less focus on cyber security than in other industries."

Many construction businesses are also using machine learning and robotics more, which poses a potential risk. "These new technologies still require data security and privacy risk assessments and proper controls in place, something that may be a second thought for those in the construction industry that may not have historically had cybersecurity top of mind."

Last but by no means least, the sector is a "big, lucrative target."

"The exposure of cyberattacks in construction, in part, is amplified by the amount of confidential and proprietary information digitally stored and shared across projects and their long information technology chains," the reports adds. "Infrastructure, financial accounts, as well as the data of employees, projects, and business sensitive information may be at risk. Accordingly, the number of cyber security attacks in the construction industry are growing exponentially."

The Register asked Simpson Manufacturing to comment. ®