TOMRA: Steady progress in the aftermath of a cyberattack

In the face of the cyberattack that TOMRA discovered on July 16th, the company has managed to keep most services and equipment operational under challenging circumstances. Connections to online services continue to be re-established, bringing the company on a path toward normal operations.

“With a focused and dedicated team of internal and external resources working around the clock, TOMRA is making significant strides towards restoring normal operations and online connections for all services,” says Tove Andersen, President and CEO of TOMRA.

An internal investigation has revealed the extent of the attack, prompting the company to embark on a comprehensive effort to reinforce and rebuild its trust infrastructure. Despite the operational challenges, TOMRA is diligently working to establish alternative systems for some services while thoroughly validating others. The ongoing investigation has revealed the impact on several systems within the organization. However, there is no evidence that any of TOMRA’s customers or partners have been targeted or compromised. No confidential information has been identified as leaked, there is no evidence of encryption of data, and TOMRA has not received any ransom demand.

"We have faced an unprecedented challenge, and it has been remarkable to witness the commitment and vigilance displayed by our team as they work to support our customers," says Andersen. “Though we've had to implement workarounds and revert to manual procedures in some cases, the dedication of our employees and the support of our customers and partners has enabled most of our services and equipment to continue functioning."

The internal investigation has identified that the threat actor escalated privileges and used Windows built-in tools to traverse laterally and perform malicious operations on target systems. This included creating back doors and changing passwords. During the investigations, TOMRA has identified technical indicators for tools used by the threat actor and has developed an understanding of the techniques used to exploit the systems.

TOMRA took preventative measures to digitally disconnect equipment such as reverse vending machines (RVMs), and administrative systems until they had been assessed as unaffected or connected to newly verified, secure systems.

"We acted swiftly to disconnect systems interacting with customers and have made significant progress restoring systems within the first three weeks," Andersen adds. "Our priority is to safely restore and rebuild services to our customers in the markets we serve."

TOMRA is collaborating with external partners to conduct a thorough review of all relevant systems to ensure the integrity of the company's digital platform. Microsoft has already completed an independent expert review of all services running on their platforms and the security rating received is very strong. TOMRA has further increased security by deploying additional security settings and utilizing advanced features on the Microsoft platform.>/p>

"TOMRA is determined to fortify its defenses against cyber threats. While there is still work ahead of us, we are encouraged by the progress we have made so far. An independent, secured, and verified IoT environment has been receiving data from a growing number of RVMs over the last two weeks. 82% of all RVMs affected by our proactive response to the cyberattack are now back online. Our sorting and grading equipment in the Food and Recycling divisions remain fully operational and unaffected by the attack,” Andersen adds.

TOMRA’s team is working continuously to manage the situation and the company is supported by a global team from Deloitte. More information will be uncovered about the attack as the forensics investigation continues and there could be some setbacks along the way, however, TOMRA is prepared to meet these challenges.

TOMRA remains resolute in its mission to enable a world without waste and reaffirms its commitment to safeguarding its operations and the trust of its valued partners and customers.

"Cyberattacks are a serious threat to digitalized societies and businesses. At TOMRA, we are dedicated to collaborating with relevant parties and sharing insights gained from our experience. Our focus on transparency and knowledge-sharing strengthens our defense against future threats, fostering a more resilient digital landscape for all," Andersen concludes.