Foxconn Ransomware Attack Exposes 11M Files From Apple

Electronics manufacturing giant Foxconn confirmed Monday that ransomware hackers breached its North American facilities, with the Nitrogen group claiming to have stolen over 11 million files containing confidential data from major tech clients including Apple, Google, Nvidia, and Dell. According to Foxconn’s statement, the cyberattack affected multiple factories, which are “currently resuming normal production.”

Scale of the Foxconn Breach

The Nitrogen ransomware group posted evidence of the attack on its dark web leak site, claiming to have exfiltrated 8 terabytes of sensitive data from Foxconn’s systems. TechCrunch reported that the stolen files allegedly include product schematics, project guidelines, and bank statements from high-profile customers.

As proof of the breach, the hackers published screenshots showing what appear to be internal product documentation and customer data. The attackers specifically named Apple, Dell, Google, Intel, Nvidia, and Sony among the affected clients whose confidential information was allegedly compromised.

Nitrogen operates as a double-extortion ransomware group, meaning they both encrypt victim files and steal data before deployment. This dual approach gives the group two leverage points for monetizing attacks — demanding payment for decryption keys and threatening to leak stolen data if ransoms aren’t paid.

Foxconn’s Critical Supply Chain Role

Foxconn’s position as a key manufacturing contractor makes it an especially attractive target for ransomware groups seeking maximum impact. According to Wired, the company manufactures electronic components and complete devices for major tech companies, including Apple’s iPhones.

“Ransomware groups are increasingly targeting victims that can impact the supply chain, whether it is physical or software,” Allan Liska, a threat intelligence analyst at Recorded Future, told Wired. “So it’s unsurprising that a company like Foxconn would be targeted, since it does manufacturing and holds sensitive data for so many companies around the world.”

The attack highlights the vulnerability of global supply chains, where a single breach can potentially expose intellectual property and sensitive data from multiple major corporations simultaneously. Foxconn’s manufacturing operations span multiple continents, making it a repository for diverse client information and proprietary manufacturing processes.

Wave of Supply Chain Security Incidents

The Foxconn attack comes amid a broader pattern of cybersecurity incidents targeting technology supply chains. SecurityWeek reported that Checkmarx recently dealt with a supply chain attack where hackers published malicious versions of its Jenkins AST plugin to the Jenkins Marketplace.

The Checkmarx incident was linked to the TeamPCP hacker gang, which accessed the company’s repositories in March and published malicious artifacts. The attack later involved the Lapsus$ extortion group, which publicly released data allegedly stolen from Checkmarx’s GitHub repositories.

Cybersecurity firm Trellix also confirmed a breach of its source code repository, with the RansomHouse group claiming responsibility. According to SecurityWeek, RansomHouse published screenshots showing access to Trellix’s internal services and management dashboards, though the company stated it found “no evidence that our source code release or distribution process was affected.”

Pharmaceutical Sector Also Targeted

The ransomware threat extends beyond technology companies to critical industries like pharmaceuticals. West Pharmaceutical Services disclosed to the SEC that it suffered a ransomware attack on May 4, which prompted a “proactive shutdown and isolation of affected on-premise infrastructure.”

SecurityWeek reported that the attack disrupted West Pharmaceutical’s global business operations, though the company has since restored core enterprise systems and restarted critical shipping, receiving, and manufacturing processes at some sites. The attackers exfiltrated data before deploying ransomware, and the company retained Palo Alto Networks’ Unit 42 team for incident response.

West Pharmaceutical told the SEC it “has taken steps intended to mitigate the risk of dissemination of the exfiltrated data,” language that typically indicates ransom negotiations. The company has not disclosed the financial impact of the attack or identified the responsible ransomware group.

Nitrogen Group’s Growing Activity

The Nitrogen ransomware group emerged in 2023 and has shown steady activity with notable spikes at the end of 2024. According to Wired, the group typically targets victims in North America and Western Europe and has connections to the notorious ALPHV/BlackCat ransomware operation.

Ian Gray, vice president of intelligence at Flashpoint, told Wired that while Nitrogen has been active since 2023, the security company’s first observation of their activity was in 2024, targeting Control Panels USA. The group’s focus on supply chain targets aligns with broader ransomware trends toward maximizing disruption and leverage.

The timing and targeting of recent attacks suggest coordinated efforts by multiple ransomware groups to exploit supply chain vulnerabilities, with particular focus on companies that hold sensitive data from multiple high-value clients.

What This Means

The Foxconn breach underscores the cascading risks inherent in modern technology supply chains, where a single compromise can expose confidential data from dozens of major corporations. The 11 million files allegedly stolen represent not just Foxconn’s intellectual property, but potentially sensitive product development information from Apple, Google, Nvidia, and other tech giants.

This incident, combined with recent attacks on Checkmarx, Trellix, and West Pharmaceutical, reveals ransomware groups’ strategic shift toward supply chain targets that offer maximum leverage. Companies that serve as critical infrastructure or hold data for multiple high-value clients present attractive targets for double-extortion schemes.

The wave of attacks also highlights the interconnected nature of cybersecurity risks in the technology sector, where a breach at one company can potentially impact the competitive positioning and intellectual property of numerous others. Organizations across the supply chain must reassess their third-party risk management and incident response capabilities in light of these evolving threats.

FAQ

What data did hackers steal from Foxconn?

The Nitrogen ransomware group claims to have stolen over 11 million files totaling 8 terabytes of data, including product schematics, project guidelines, and bank statements from major clients like Apple, Google, Nvidia, and Dell. The hackers published screenshots as proof, showing what appear to be internal product documentation and customer information.

Why are ransomware groups targeting supply chain companies?

Supply chain companies like Foxconn hold sensitive data from multiple high-value clients, making them attractive targets for maximum leverage in extortion schemes. A single breach can potentially expose intellectual property from dozens of major corporations, giving ransomware groups more negotiating power and higher potential payouts than targeting individual companies.

How does double-extortion ransomware work?

Double-extortion ransomware groups like Nitrogen both encrypt victim files and steal data before deployment. This gives them two leverage points: demanding payment for decryption keys and threatening to leak stolen data publicly if ransoms aren’t paid. This strategy significantly increases the pressure on victims to pay, as data exposure can cause lasting reputational and competitive damage beyond operational disruption.