Mountain background with Orbit

TOMRA's swift response paves the way for normalization after cyberattack

TOMRA's CEO, Tove Andersen, reflects on lessons learned and the company's enhanced security measures.  
5 min

On July 16th, TOMRA faced an extensive cyberattack that temporarily disrupted its digital infrastructure. The company promptly isolated affected systems, limiting the attack's impact and ensuring the safety of its data. Manual workarounds have kept the company operational while systems have been validated and restored. Two months on, TOMRA is progressing well toward normal operations.

Though the attack was extensive, forensic analysis indicates that the swift containment measures significantly curtailed potential damage. Importantly, there is no evidence of confidential data leakage or data encryption, and no ransom demands were made. TOMRA continues to collaborate with relevant authorities and regulators in its markets to address the incident.

TOMRA's President and CEO, Tove Andersen, expresses her admiration for the resilience and dedication demonstrated by the company's employees throughout this challenging period. "We have faced an unprecedented challenge, and it has been remarkable to witness the commitment and vigilance displayed by our team as they work to support our customers,” Andersen says.

Throughout the period, TOMRA has continued to produce and deliver equipment and services, limiting the impact of the attack on customers. Most customer services and machines have remained operational despite initially being disconnected from TOMRA's domain to contain the attack. Connections to online services have been reestablished as systems have been validated and restored or rebuilt with strengthened security measures. 

Despite disruptions and manual workarounds, the cyberattack has not had any significant impact on sales, service, or production. Diverting resources to the recovery has resulted in some delays in the innovation pipeline as well as the cash flow due to postponed invoicing. The incident is not expected to have material impact on revenues, but it has incurred one-off costs of NOK 120 million so far, which will be recognized in the third quarter of 2023. The costs relate to the cyberattack response and improvements in the company's cyber security. Additional costs are expected to be booked in the fourth quarter.

Key findings from the forensics report

  • The investigation confirmed that the threat actor commenced their reconnaissance phase on July 10th and transitioned into the operational phase on July 15th. On Sunday, July 16th, at 05:51 CET, TOMRA Security Operations detected suspicious activity, prompting proactive measures to shut down services and disconnect sites to contain the attack.
  • The threat actor specifically targeted the TOMRA domain and internal systems, with no evidence indicating any TOMRA customers were targeted or compromised. There was no identification of leaked confidential information, encryption of data, or any ransom demands.
  • The threat actor employed escalated privileges and leveraged Windows built-in tools to navigate laterally and execute malicious operations on target systems. This included the creation of back doors and password modifications. The investigation revealed technical indicators for tools used by the threat actor, shedding light on their techniques for exploiting TOMRA's systems.
  • Noteworthy tools and methods utilized by the threat actor included built-in Windows functionality, malicious PowerShell payloads, and malicious binaries, enabling the establishment of command-and-control channels. Malicious activities were identified in various areas, encompassing on-premise Windows and VMware environments, as well as the Azure platform.

Cyberattacks are a serious threat to digitalized societies and businesses and I am grateful that we were able to stop the attack before any serious damage was done. However, this was an eye opening and humbling experience and still today we have many colleagues dealing with the consequences of the attack.

Tove Andersen, TOMRA President and CEO
Tove Andersen TOMRA President and CEO

Rebuilding

The cyberattack TOMRA experienced has required a careful rebuild of the complete IT infrastructure across the global organization. This has included rebuilding our core data centers, vetting of more than five thousand user accounts and reworking and reestablishing underlying IT and network infrastructure. In addition, we have ensured that all IT devices in use are not compromised as well as increased security measures around our assets.

“We have taken measures to implement one of the most modern and secure cyber security architectures – a so called Zero Trust architecture – to prevent future disruptions and to protect ourselves, our customers, partners, and suppliers. I would like to express my sincere gratitude toward all our supportive and trusting stakeholders during these challenging times," Andersen says.

At TOMRA, we are dedicated to collaborating with relevant parties and sharing insights gained from our experience. Our focus on transparency and knowledge-sharing strengthens our defense against future threats, fostering a more resilient digital landscape for all," Andersen concludes.

Lessons learned and changes made

The cyberattack on TOMRA serves as a potent reminder of the critical lessons that both the TOMRA organization and others must heed in the face of evolving cyber threats. Swift and proactive vigilance, combined with early detection and containment, emerged as paramount strategies for mitigating potential damage. This incident prompted TOMRA to prioritize the enhancement of its cyber resilience and accelerate investments in infrastructure security.

Furthermore, we believe there are several valuable takeaways that can benefit others in similar situations. Employee awareness plays a pivotal role and did so for TOMRA in this instance; providing comprehensive training and emphasizing the importance of vigilance are essential components. Additionally, having well-thought-out recovery and backup plans in place, along with training for operating without systems or using alternative communication methods, is crucial.

Defining your minimum viable company and prioritizing critical applications provides a clear starting point for recovery efforts. Establishing a defined incident recovery structure and procedure is essential, as incidents can often last longer than initially expected. Learning from the experiences of others and seeking support from individuals with relevant expertise can be invaluable.

Regular and transparent communication with stakeholders, as well as early planning to regain trust, are vital aspects of navigating such incidents successfully. Additionally, TOMRA has accumulated a wealth of technical insights regarding design and setup, which we are eager to share with others in the cybersecurity community.

Throughout the incident, TOMRA's interaction with its customers and collaborative engagement with authorities as well as external experts contributed to the successful handling of the situation. The lessons learned from this experience we believe provides valuable guidance for businesses worldwide as they navigate the ever-evolving landscape of cybersecurity.

"As I reflect on the past two months, I am grateful to acknowledge that we upheld the commitment made at the beginning of this challenging situation: to emerge as a stronger company, resolute in our mission to create a more sustainable world. Thanks to our dedicated team, we have fortified our company, ensuring it stands stronger than ever before,” Andersen concludes.

This is the final dedicated update from TOMRA on the cyberattack however if you have any questions, please email TOMRA at [email protected].