Clorox Cyberattack Continues to Hurt Operations, Shows Intensity of Cyber Risks

Industrial manufacturer Clorox announced this month that it is still experiencing operational disruptions due to a cyberattack that was probably perpetrated by hacking group Scattered Spider. The group is also known as Muddled Libra and UNC3944. In the past, the highly skilled group has targeted two major gambling companies, MGM Resorts and Caesars Entertainment, in addition to at least 52 other attacks last year.

While the details of the Clorox attack remain unclear, the company revealed in a Securities and Exchange Commission (SEC) report in August that its Information Technology (IT) infrastructure was breached. In the report, Clorox stated that it had “identified unauthorized activity on some of its Information Technology (IT) systems.” It revealed that it “implemented workarounds for certain offline operations in order to continue servicing its customers.” Clorox then issued another September 18 report maintaining that the attack “caused widescale disruption of Clorox’s operations,” and that it was not able to “estimate how long it will take to resume fully normalized operations.” The most recent October news release by Clorox did not have an assuring tone. The company was unable to verify that entire operations have recovered, and instead stated that it “believes the cybersecurity attack has been contained.” The company said it is “making progress in restoring its systems and operations,” falling short of declaring a full recovery.

The recent attack demonstrates how supply chain and Information Technology (IT) attacks could devastate production just as effectively as attacks on Operational Technology (OT) systems can disrupt the manufacturing process. Given new SEC regulation, enforcing cyberattack disclosure from September of this year, Clorox had to disclose the attack. These disclosures could severely impact bottom lines and financial statements. Clorox shut down its systems for more than a month, and only started transitioning back to automated orders on September 25. The length of the shutdown points to shortcomings in the company’s cyber hygiene and the absence, or weaknesses, of the company’s attack recovery strategy. Thus, Clorox not only experienced the breach, but also encountered prolonged challenges in maintaining production continuity.

Manufacturers that disregard effective defenses against attacks, especially ransomware, could expect IT disruption spillover to the OT and into the production environment, as seen in the Clorox case. Clorox had to process orders manually due to the attack, leading to a backlog of orders. Slow fulfillment of orders in turn led to financial losses. According to the company’s own estimates, the manufacturer witnessed a 23%-28% drop in sales in its Q1 FY 2024 report, which ended September 30, 2023.

In addition to operational challenges, due to recent SEC disclosure requirements, manufacturers are no longer able to pay ransomware hush money and conceal their vulnerabilities. This means shareholders and investors will take note and plan accordingly, further implicating companies that fall victim to such attacks. Furthermore, SEC guidelines require disclosure within four days of the breach, if the attack has “material” implications. Consequently, breached vendors will not have ample time to devise Public Relations contingency plans, drawing more attention to the nature of these attacks and how a vendor has been compromised. This in turn could translate to reputational damage, legal consequences, loss of business opportunities and even intellectual property breaches if sensitive design or manufacturing information is disclosed.           

Industrial organizations need to initially identify, and then categorize, their networks and assets, to better understand vulnerabilities and evaluate threats in their digital ecosystem. In the case of ransomware attacks, employee training and awareness about phishing schemes and social engineering scams are an imperative that should even include IT specialists. In the case of Clorox, details of the attack are scarce, yet in similar attacks by Scattered Spider, the hackers deployed sophisticated social engineering tactics impersonating employees to access sensitive data through a company’s IT helpdesk.

Manufacturing organizations should also implement network segmentation to hinder lateral movement and allow the isolation of critical systems, in case a breach is successful. Even more importantly, vendors need to design an incident response plan based on an acceptable recovery time objective (RTO) goal. This will allow IT and cybersecurity departments to plan viable strategies to achieve the RTO metric, and therefore avoid month-long shutdowns like the Clorox incident.

As the sophistication and damage of such attacks increase, it might be prudent that large industrial and manufacturing organizations include cybersecurity experts on their boards. This will allow them to better understand the threat environment and more efficiently implement security strategies while being cognizant of business objectives. Ironically, in 2023 Clorox spent $500 million on IT technology ranking 66 on Forbes’ 2023 “America’s Most Cybersecure Companies” list. Clorox does not have a single director with any tech expertise on its twelve-seat board. According to a recent report by Wall Street Journal, only 2.3% of S&P 500 board members have cybersecurity backgrounds.