TOMRA Cyberattack 2023: Timeline, response and recovery

TOMRA targeted by cyberattack on July 16, 2023

TOMRA was targeted by an extensive cyberattack directly affecting some of the company’s data systems on July 16, 2023. Relevant authorities were informed, and all available internal and external resources were mobilized to contain and neutralize the incident.

The attack was discovered in the morning of July 16th (CET), and immediate actions were taken to stop it and mitigate consequences. We immediately disconnected some systems to contain the attack, and TOMRA is currently assessing whether customers and employees might experience reduced stability in our services. Our primary focus after the discovery was to get all systems up and running again as fast as possible.

TOMRA remained transparent with all stakeholders, and continued to provide updates when we had confirmed information to share.

Cyberattack update: July 17, 2023

Services largely operational

In reference to the release on 17 July 2023 regarding an extensive cyberattack against TOMRA affecting some of the company’s data systems. To contain the attack, we immediately disconnected selected services and have since disconnected others. A team of internal and external resources is working around the clock to resolve the situation, and affected systems will remain offline until it is safe to open them. No new hostile activities have been detected.

Our primary aim is to continue to deliver our services to customers, reducing the impact this attack has on them. The attack currently has limited impact on TOMRA’s customer operations. Most of TOMRA’s digital services are designed to operate offline for a certain amount of time but may have reduced functionality in the interim. A team is working to establish temporary solutions for all digital systems to support keeping costumer solutions operational over time.

Status of external services:

• TOMRA Group: Internal IT-services and some backoffice applications remains offline and affects our supply chain management. Major office locations are offline, and employees are asked to work remotely.
• TOMRA Collection: The reverse vending machines (RVMs) in operation are from different generations. In Europe and Asia the majority continue to work in offline mode, while a limited number of old RVMs are no longer operating. RVMs in Australia and North America remain online and fully connected.
• TOMRA Recycling: Currently operating as usual, but some functionality is limited due to digital services being offline.
• TOMRA Food: Currently operating as usual, but some functionality is limited due to digital services being offline.

We continue to work tirelessly to resolve the situation, and remain in dialogue with relevant authorities. We have not received any contact from those who are behind the attack.

TOMRA will remain transparent with all stakeholders, and we will continue to provide updates on tomra.com when we have confirmed information to share.

Cyberattack update: July 19, 2023

Focus on restoration and service continuity after attack

TOMRA discovered an extensive cyberattack against the company on July 16^th affecting some of the company’s data systems. To contain the attack, we have disconnected selected services. A team of internal and external resources is working around the clock to establish temporary solutions and to reestablish normal operations. Affected systems will remain offline until it is safe to operate them.

Development since last update:

• No new hostile activities have been detected.
• Focus is on thorough investigation of the incident and rebuilding our trust infrastructure
• We continue to strengthen the IT security team and have expanded it with local presence in most major locations and expanded the central incident team.

Status of external services:

• TOMRA Group: Internal IT services and some back-office applications remain offline and affect our supply chain management. Major office locations are offline, but cloud based Office365 applications run as normal allowing employees to access them.
• TOMRA Collection: The reverse vending machines (RVMs) in operation are from different generations. In Europe and Asia, most RVMs continue to work in offline mode, while a limited number of older RVMs are no longer operating. In addition, RVMs in the Baltics, as well as some in Asia, are no longer operational due to integral digital services currently being offline. RVMs in Australia and North America remain online and fully connected. The Material Recovery services in North America are impacted by digital services being offline.
• TOMRA Recycling: Our customers sorters remain unaffected and fully operational. All remote service activities are disconnected and replaced with manual procedures.
• TOMRA Food: Our customers optical sorting, grading, and post-harvest solutions remain unaffected and fully operational. All remote service activities are disconnected and replaced with manual procedures.

Our primary aim is to continue to deliver our services to customers, minimizing the impact this attack has on them. Most of TOMRA’s digital services are designed to operate offline for a certain amount of time but may have reduced functionality in the interim. A team is working to establish temporary solutions for all digital systems to support keeping customer solutions operational over time.

All employees involved continue to work tirelessly to resolve the situation. The team spirit and commitment from the whole TOMRA team is remarkable. We remain in dialogue with relevant authorities and have not received any contact from those who are behind the attack.

TOMRA will remain transparent with all stakeholders, and we will continue to provide updates on tomra.com when we have confirmed information to share.

Cyberattack update July 25, 2023

Enhanced security measures and continues system recovery after cyberattack

TOMRA discovered a cyberattack against the company on July 16th. Investigation has shown some systems have been affected by the attack and additional systems were proactively disconnected to contain the attack. A team of internal and external resources is working around the clock to establish alternative solutions and to reestablish normal operations.

TOMRA is dedicated to rebuilding the trust infrastructure of the company; working in parallel to establish alternative systems for some services, and cleaning and validating systems for other services.

To increase security level, the company is also introducing new measures to help users protect themselves and the company’s digital infrastructure.

Development since last update:

• Microsoft has assessed our Office365 environment. TOMRA received a very strong security score. As per recommendations we are implementing further security measures.
• Multi Factor Authentication (MFA) is enforced for all users, temporarily locking the accounts of some users until they have MFA implemented.
• We are currently restoring our ERP solutions, starting with some markets with a few users already active.
• We work continuously to connect more customers to the new, cloud-based system for online services for the Reverse Vending Machines (RVMs) to ensure that the RVMs remain operational. The solution is rebuilt in a clean and trusted environment, with additional security controls implemented to strengthen its resilience. This new system is already available for the RVMs in Norway, the Netherlands and the Baltics and we continue to work to connect RVMs in these markets.

Status of external services:

• TOMRA Group: Internal IT services and some back-office applications remain offline and affect our supply chain management. Major office locations are offline, but cloud based Office365 applications run as normal allowing employees to access them.
• TOMRA Collection: Most RVMs in Europe and Asia remain operational, however, unfortunately a limited number of RVMs are not currently operating. RVMs in Australia and North America remain online and fully connected. The Material Recovery services in North America are also impacted by digital services being offline.
• TOMRA Recycling: Our customers sorters remain unaffected and fully operational. All remote service activities are disconnected and replaced with manual procedures.
• TOMRA Food: Our customers optical sorting, grading, and post-harvest solutions remain unaffected and fully operational. All remote service activities are disconnected and replaced with manual procedures.

Our primary aim is to continue to deliver our services to customers, minimizing the impact this attack has on them. Most of TOMRA’s digital services are designed to operate offline for a certain amount of time but may have reduced functionality in the interim. A team is working to establish alternative solutions for all digital systems to support keeping customer solutions operational over time.

TOMRA is working with external partners to do a complete review of relevant systems and have third party verification of the integrity of systems and equipment. The first one is now completed with an independent expert review from Microsoft on services that run on their platforms. Verification of these systems is an important step in documenting the integrity of the company’s digital platform.

TOMRA’s team is working tirelessly to manage the situation. In addition, the company is supported by a global team from Deloitte ensuring senior competence and resource availability globally. The team will continue to work until the situation is resolved.

Cyberattack update July 27, 2023

TOMRA shares new findings as cyberattack investigation progresses

TOMRA discovered a cyberattack against the company on July 16th. Investigation has shown some systems have been affected by the attack and additional systems were proactively disconnected to contain the attack. A team of internal and external resources is working around the clock to establish alternative solutions and to reestablish normal operations.

Today we are releasing additional information about the nature of the cyberattack. The status of our external services remains similar to the last update on July 25th, and we have continued to make progress reconnecting RVM’s. TOMRA continues to deliver our services to customers, minimizing the impact this attack has on them.

We are still investigating the cyberattack and will continue to provide information as we progress with the investigation and recovery. So far, Microsoft has analyzed the Azure platform and we have onsite and central investigator teams from Deloitte and TOMRA in Norway, USA, Canada, Germany and New Zealand. In this update we are sharing what we currently know, and we underline that it does not give a full and final picture of what has happened.

Target of the attack

Based on the investigation we have done so far; we see that the threat actor targeted the TOMRA domain and TOMRA internal systems. We have not identified that any TOMRA customers have been targeted or compromised. No confidential information has been identified leaked, and we see no evidence of encryption of data, nor have we received any ransom claims.

Timeframe of the attack

Our investigations currently show that the threat actor was in their reconnaissance phase July 10th and initiated the operational phase July 15th. Sunday, July 16th 05:51 CET, TOMRA Security Operations detected suspicious activity linked to our Montreal location. When this was discovered, TOMRA Security Operations started to proactively shut down services and disconnect sites to contain the attack.

Development of the attack

We have identified that the threat actor escalated privileges and used Windows built-in tools to traverse laterally and perform malicious operations on target systems. This included creating backdoors and changing passwords. During the investigations we have identified technical indicators for tools used by the threat actor, and we have developed an understanding of the techniques for exploiting our systems.

Investigation

Origin and identity of the attackers is not concluded, but we have leads we are following. We are working with authorities and regulators in relevant markets.

Some technical details about the attack

• The threat actor has used built-in Windows functionality, malicious powershell payloads and malicious binaries to exploit systems and to create command and control channels.
• Malicious activities have been identified performed in the following areas: on-premise Windows and VMware environments, and in Azure. Currently identified affected on-premise systems are in Canada, US and Norway.
• Some examples of tools used by the threat actor are, legitimate passwords, cold boot attacks and back door applications.

TOMRA’s team is working tirelessly to manage the situation. In addition, the company is supported by a global team from Deloitte ensuring senior competence and resource availability globally. The team will continue to work until the situation is resolved.

Cyberattack update July 31, 2023

Steady progress in the aftermath of the cyberattack

In the face of the cyberattack that TOMRA discovered on July 16th, the company has managed to keep most services and equipment operational under challenging circumstances. Connections to online services continue to be re-established, bringing the company on a path toward normal operations.

“With a focused and dedicated team of internal and external resources working around the clock, TOMRA is making significant strides towards restoring normal operations and online connections for all services,” says Tove Andersen, President and CEO of TOMRA.

An internal investigation has revealed the extent of the attack, prompting the company to embark on a comprehensive effort to reinforce and rebuild its trust infrastructure. Despite the operational challenges, TOMRA is diligently working to establish alternative systems for some services while thoroughly validating others. The ongoing investigation has revealed the impact on several systems within the organization. However, there is no evidence that any of TOMRA’s customers or partners have been targeted or compromised. No confidential information has been identified as leaked, there is no evidence of encryption of data, and TOMRA has not received any ransom demand.

"We have faced an unprecedented challenge, and it has been remarkable to witness the commitment and vigilance displayed by our team as they work to support our customers," says Andersen. “Though we've had to implement workarounds and revert to manual procedures in some cases, the dedication of our employees and the support of our customers and partners has enabled most of our services and equipment to continue functioning."

The internal investigation has identified that the threat actor escalated privileges and used Windows built-in tools to traverse laterally and perform malicious operations on target systems. This included creating back doors and changing passwords. During the investigations, TOMRA has identified technical indicators for tools used by the threat actor and has developed an understanding of the techniques used to exploit the systems.

TOMRA took preventative measures to digitally disconnect equipment such as reverse vending machines (RVMs), and administrative systems until they had been assessed as unaffected or connected to newly verified, secure systems.

"We acted swiftly to disconnect systems interacting with customers and have made significant progress restoring systems within the first three weeks," Andersen adds. "Our priority is to safely restore and rebuild services to our customers in the markets we serve."

TOMRA is collaborating with external partners to conduct a thorough review of all relevant systems to ensure the integrity of the company's digital platform. Microsoft has already completed an independent expert review of all services running on their platforms and the security rating received is very strong. TOMRA has further increased security by deploying additional security settings and utilizing advanced features on the Microsoft platform.>/p>

"TOMRA is determined to fortify its defenses against cyber threats. While there is still work ahead of us, we are encouraged by the progress we have made so far. An independent, secured, and verified IoT environment has been receiving data from a growing number of RVMs over the last two weeks. 82% of all RVMs affected by our proactive response to the cyberattack are now back online. Our sorting and grading equipment in the Food and Recycling divisions remain fully operational and unaffected by the attack,” Andersen adds.

TOMRA’s team is working continuously to manage the situation and the company is supported by a global team from Deloitte. More information will be uncovered about the attack as the forensics investigation continues and there could be some setbacks along the way, however, TOMRA is prepared to meet these challenges.

TOMRA remains resolute in its mission to enable a world without waste and reaffirms its commitment to safeguarding its operations and the trust of its valued partners and customers.

"Cyberattacks are a serious threat to digitalized societies and businesses. At TOMRA, we are dedicated to collaborating with relevant parties and sharing insights gained from our experience. Our focus on transparency and knowledge-sharing strengthens our defense against future threats, fostering a more resilient digital landscape for all," Andersen concludes.

Cyberattack update August 11, 2023

TOMRA nears completion of cyberattack investigation and restores services

TOMRA discovered a cyberattack against the company on July 16th and has managed to keep most services and equipment operational under challenging circumstances. Connections to online services continue to be reestablished, bringing the company on a path toward normal operations.

TOMRA has worked continuously since the attack, and is very grateful for all employees, partners and customers who have supported us through these challenging weeks.

We are coming to the end of the cyberattack investigation and now have a good overview of what happened. We described the nature of the attack on July 27th.

Status of external services:

• TOMRA Group: Work continues to establish alternative systems for some services while at the same time we are rebuilding and restoring many others. Each day we have more people connected to the restored and rebuilt internal systems with strengthened security measures built in.
• TOMRA Collection: 86% of all affected reverse vending machines (RVMs) have been successfully reconnected to our independent, trusted TOMRA Connect environment with more machines coming online as we continue to work closely with customers to reestablish connections. Most RVMs in Europe and Asia remain operational and we are continuously working to connect all machines. RVMs in Australia and North America remain online and fully connected.
• TOMRA Recycling: Customers' sorters remain unaffected and fully operational. There are still manual workarounds in place, but we have started to gradually restore remote connections to our systems.
• TOMRA Food: Customers' optical sorting, grading, and post-harvest solutions remain unaffected and fully operational. There are still manual workarounds in place, and we have not yet restored remote connections to our systems.

TOMRA continues to deliver our services to customers, minimizing the impact this attack has on them. TOMRA remains resolute in its mission to enable a world without waste and reaffirms its commitment to safeguarding its operations and the trust of its valued partners and customers.

Cyberattack update August 18, 2023

TOMRA nearing normal operations after cybersecurity incident

TOMRA discovered a cyberattack against the company on July 16th and has managed to keep most services and equipment operational under challenging circumstances. Connections to online services continue to be re-established, bringing the company on a path toward normal operations. From now TOMRA will reduce the frequency of updates and only release information if there is substantial new information to share.

TOMRA has worked continuously since the attack, and is very grateful for all employees, partners and customers who have supported us through these challenging weeks.

We are coming to the end of the cyberattack investigation and now have a good overview of what happened. We described the nature of the attack on July 27th, more information can be found here.

Status of external services:

• TOMRA Group: Work continues to establish alternative systems for some services while at the same time, we are rebuilding and restoring many others. Each day, more employees are connected to the restored and rebuilt internal systems with strengthened security measures built in.
• TOMRA Collection: 86% of all affected reverse vending machines (RVMs) have been successfully reconnected to our independent, trusted TOMRA Connect environment with more machines coming online as we continue to work closely with customers to reestablish connections. Most RVMs in Europe and Asia remain operational and we are continuously working to connect all machines. RVMs in Australia and North America remain online and fully connected.
• TOMRA Recycling: Customers' sorters remain unaffected and fully operational. There are still manual workarounds in place, but we have started to gradually restore remote connections to our systems.
• TOMRA Food: Customers' optical sorting, grading, and post-harvest solutions remain unaffected and fully operational. There are still manual workarounds in place, and we have not yet restored remote connections to our systems.

TOMRA continues to deliver our services to customers, minimizing the impact this attack has on them. TOMRA remains resolute in its mission to enable a world without waste and reaffirms its commitment to safeguarding its operations and the trust of its valued partners and customers.

Cyberattack update September 1, 2023

TOMRA completes cyberattack investigation and strengthens security

TOMRA discovered a cyberattack against the company on July 16th and has managed to keep most services and equipment operational under challenging circumstances. Connections to online services continue to be reestablished, bringing the company on a path toward normal operations. From now TOMRA will reduce the frequency of updates and only release information if there is substantial new information to share.

TOMRA has worked continuously since the attack, and is very grateful for all employees, partners and customers who have supported us through these challenging weeks.

We have now completed the cyberattack investigation and have a good overview of what happened. We described the nature of the attack on July 27th, more information can be found here.

TOMRA is rebuilding and our cyber resilience strategy has accelerated due to the attack. TOMRA will become stronger and more robust, and we have taken important steps by implementing the following:

• Migration to a Zero Trust Architecture
• Enhanced internet access control with full traffic inspection
• Centralized vetting process of computers before allowing reconnection to systems
• Identity protection with reinforced Multi Factor Authentication requirement and password rotation for all users

Status of external services:

• TOMRA Group: Work and progress continues as we rebuild and restore systems and services. Each day, more employees are connected to internal systems and all critical users now have access to our ERP system.
• TOMRA Collection: Most RVMs affected by the cyberattack have been successfully connected to new, trusted infrastructure and we are working closely with customers to reconnect the remainder. We have seen significant progress in our efforts to restore additional systems and, step by step, continue on our path towards the resumption of normal business operations.
• TOMRA Recycling: Customers' sorters remain unaffected and fully operational. There are still manual workarounds in place, but we have made significant progress in gradually activating our systems and continue restoring remote connections to your systems.
• TOMRA Food: Customers' optical sorting, grading, and post-harvest solutions remain unaffected and fully operational. There are still manual workarounds in place, and we have started restoring remote connections to our systems.

TOMRA continues to deliver our services to customers, minimizing the impact this attack has on them. TOMRA remains resolute in its mission to enable a world without waste and reaffirms its commitment to safeguarding its operations and the trust of its valued partners and customers.