[This article originally ran Sept. 27, 2023.
Clorox expects operational impacts from the cyberattack to continue into Q2, though the majority of order processing operations have returned to automated processes. The company continues to assess impacts of the attack on the remainder of FY 2024.]
The days of manufacturers quietly cleaning up from the damage of successful cyberattacks and their financial ramifications are over, and shareholders are paying attention.
Clorox on August 14 disclosed via an SEC filing that the company had “identified unauthorized activity on some of its Information Technology (IT) systems” that was “expected to continue to cause disruption to parts of the Company’s business operations.”
Then, on September 18, Clorox filed another SEC report stating it believed the hack was contained but resulting in slower production rates and “an elevated level of consumer product availability issues.” News of the filing spread widely throughout the press and Clorox’s stock price dropped roughly 2% between market close on September 18 and market open the following day.
It’s a textbook example for why no company wants to advertise a cybersecurity breach and also suggests why manufacturers are so likely to pay ransomware bounties and eliminate the problem. But Clorox’s disclosures are in keeping with new SEC rules that require disclosure of material cybersecurity incidents within four days of the incident.
“If it weren’t for the new SEC rules, it’s likely that this attack wouldn’t be making headlines right now. The incident was originally disclosed in August, but Clorox is just now disclosing that it will have material impact because of the new rules that went into effect on September 5th,” says Chaz Lever, senior director of security research at cybersecurity firm Devo.
“They’re one of the first companies to have to do this, and it’s definitely uncharted territory, which is why Clorox's string of updates and bulletins are drawing attention. Business leaders are watching and wanting to know how this is going to play out because they don't want to find themselves in a potentially similar state of confusion in the future,” Lever adds.
Cybersecurity Hygiene Matters
The Clorox hack may demonstrate the value of heeding cybersecurity experts’ most common recommendations—keep your digital house clean and disinfected. For instance, the need to train employees about social engineering, how threat actors might try to trick them into giving up usernames and passwords, mandating minimum acceptable password complexity and changing them at specific intervals.
According to multiple reports, social engineering is one of the most common attack vectors used by threat actors and cyberattacks against manufacturers very often involve ransomware. Both seem to apply to the Clorox breach.
“Clorox’s attack has all the hallmarks of a ransomware attack. This is all part of an ever-growing threat on social engineering combined with ever more evasive and adaptive attack techniques and tactics,” says Mark Guntrip, senior director of cybersecurity strategy for Menlo Security.
“From the information we have, it’s very likely that the same threat actors [the UNC3944 or Roasted 0ktapus groups] behind some of the recent business-disrupting breaches [in the travel industry] might also have had a hand in this incident. If that’s the case, I would imagine that the adversaries used social engineering tactics to gain access to the company’s systems,” says Tyler Farrar, CISO at Exabeam.
“This likely would have either: A, allowed them to promptly deploy ransomware or B, Clorox locking down all systems before the ransomware could spread, resulting in immediate disruption to the business. As a result, the supply chain was disrupted which leads to backups in manufacturing and shipping,” adds Farrar.
Pivotal aspects of cybersecurity hygiene include contingency plans to limit the damage in the event of an IT system compromise and the need for data backups and redundancy to aid in speedy recovery.
“The fact that it will take Clorox more than a month to recover normal operations is not a good sign. It indicates to me that the adversary was able to penetrate the backbone of Clorox operations and impact multiple systems throughout the Clorox environment,” says Avishai Avivi, CISO at cybersecurity firm SafeBreach.
“While Clorox indicated in their August notification that they have activated their Business Continuity Plan (BCP) –the fact that they have still not recovered full operational capability indicates that their BCP was not complete and did not account for this particular type of disruption. If it did, then the indication is that Clorox may have failed to exercise and test its BCP. A good BCP should have a good indication of a Recovery Time Objective (RTO). RTOs are typically measured in hours, potentially days. It is very rare that an RTO will be longer than a month,” continues Avivi.
The specific nature of Clorox’s business adds wrinkles to the process of spinning production back up to normal levels.
“What makes this incident special is it involved changes to [GxP] regulated systems that have to be completely shut down and rigorously tested before production can be resumed. Resuming production itself is a very long process and can only begin after the incident has been resolved, the investigation completed, the necessary controls implemented or changed, and the relevant software updates have been written, tested, and deployed,” says Nick Ascoli, founder and CTO at Foretrace.
Hack Recovery Ongoing
In its September 18 filing, Clorox stated it was repairing damaged infrastructure and bringing systems back online and expected a return to normal automated order processing this week.
“We expect the ramp-up to full production to occur over time but do not yet have an estimate for how long it will take to resume fully normalized operations,” a Clorox representative tells IndustryWeek.
“Recovery periods from ransomware can fluctuate due to various factors such as encryption, forensic investigations and system building. Given that Clorox was still in the midst of its forensic investigation, it might have contributed to a more prolonged financial impact and supply chain disruption,” says Farrar.
The Clorox hack may serve as an object lesson beyond validating common cybersecurity guidance, indicating how manufacturers need to address successful hacks in the new reporting environment dictated by the September 5 change in reporting guidelines.
“It’s commendable that Clorox disclosed this incident just three days after discovering the breach. Clorox’s transparency is a testament to its strong crisis management policies and its commitment to learning from the incident. While any organization can become a target of such an attack, how it handles the response will make or break its reputation in the future,” says Farrar.
[ Editor's note: this updates the story that originally ran on September 27, 2023.]