Nitrogen ransomware hits Foxconn's North American factories

Nitrogen ransomware group attacked several Foxconn factories in North America, claiming to have stolen 8 terabytes of data that includes confidential files from tech companies including Apple, Intel, and Google.

What happened

Foxconn, one of the world's largest electronics manufacturers with $259 billion in revenue last year, confirmed that several of its North American factories suffered a cyberattack. The company's cybersecurity team responded by implementing additional measures to maintain production and delivery continuity.

Nitrogen, the ransomware group claiming responsibility, posted screenshots of allegedly stolen data on its data leak site and stated it compromised more than 11 million files totaling 8 terabytes. The group claimed this data included confidential instructions, project files, and technical drawings tied to major technology companies. Foxconn has not confirmed the existence of a ransom demand or disclosed the specific systems affected.

Going deeper

Nitrogen first appeared in 2023 using ALPHV, a widely-deployed ransomware variant. In 2024, the group shifted tactics, incorporating stolen code from Conti to build custom attack tools targeting Windows and VMware server environments. More recently, Nitrogen has focused its operations on manufacturing and technology sector targets.

What was said

A Foxconn spokesperson confirmed the attack and said its cybersecurity team immediately implemented additional "measures to ensure the continuity of production and delivery." The spokesperson also noted that "affected factories are currently resuming normal production.”

Ismael Valenzuela, vice president of threat research and intelligence at Arctic Wolf Labs, described Nitrogen's approach as a "consistent playbook, stealing data before encrypting systems so they have leverage on multiple fronts, combining operational disruption with the threat of sensitive information being exposed." He added that the group's tactics indicate it is "operating with a defined model, focusing on organizations that are easier to access but still critical enough to drive pressure and payment."

Cynthia Kaiser, senior vice president at Halcyon's Ransomware Research Center, noted that "the most recent cases of claims by Nitrogen do not include a working file listing on the leak site and include mostly older images of files," raising questions about whether the group is inflating its claims.

By the numbers

• 8 terabytes of data allegedly stolen
• 11+ million files claimed in the breach
• $259 billion, Foxconn's annual revenue, making it one of the world's largest companies
• Foxconn operates factories across 6 North American states and Mexico: Wisconsin, Ohio, Texas, Virginia, Indiana, and multiple sites in Mexico
  
  

Why it matters

An attack on Foxconn's North American operations carries potential downstream consequences for some of the most recognizable names in consumer technology. If Nitrogen's claims about accessing confidential design files and project drawings from companies like Apple, Intel, and Google are verified, the implications extend to the intellectual property and product roadmaps of those companies' supply chains.

This attack also shows the vulnerability of contract manufacturers, organizations that sit at the intersection of multiple major clients and hold sensitive technical data, yet may not face the same level of regulatory pressure around cybersecurity as the brands they serve. For the healthcare and technology industries, the use of double-extortion tactics means that even organizations with strong backup and recovery capabilities still face the threat of public data exposure.

FAQs

What is ransomware?

Ransomware is malicious software that cybercriminals use to encrypt a victim's systems or steal their data, then demand payment in exchange for restoring access or not publicly releasing the stolen information.

What is double-extortion?

Double-extortion is a ransomware tactic where attackers steal data before encrypting systems, giving them two forms of leverage, the victim must pay to regain access and prevent their sensitive data from being publicly released.

How do ransomware groups gain access to a company's systems?

Ransomware groups most commonly gain initial access through phishing emails, unpatched software vulnerabilities, compromised credentials, or by exploiting remote access tools like VPNs.