Molson Coors Cracks Open a Cyberattack Investigation

The multinational brewing company did not say what type of incident caused a ‘systems outage,’ but it’s investigating and working to get networks back online.

Another high-profile company has been hit with a cyber attack that’s causing a major disruption to its business. Brewing company Molson Coors acknowledged on Thursday that it has “experienced a systems outage that was caused by a cybersecurity incident,” according to a Form 8-K filed with the SEC.

The company did not say which type of attack has caused widespread issues across its entire business — including its brewery operations, production and shipments — but given recent major attacks on other mainstream companies, security experts are speculating that it could have been a ransomware attack.

Molson Coors has employed forensic IT firms and legal counsel to investigate and “is working around the clock to get its systems back up as quickly as possible,” according to the filing.

The company operates seven breweries and packaging plants in the United States, as well as three in Canada and 10 in Europe. It produces several brands of beer in addition to its namesake, including Blue Moon, Miller Lite and Pilsner Urquell.

Potential Ransomware Attack

“High-profile attacks are becoming all too common, as attackers have realized they are immensely more profitable when they target large organizations and disrupt their critical business operations — in this case, the brewing operations of the world’s biggest, well-known beer brands,” observed Edgard Capdevielle, CEO at Nozomi Networks, in an email to Threatpost.

Although the company hasn’t released specific details of the incident, given the seriousness of the disruption and recent cyberattack activity, “it could be ransomware,” he said.

Tony Lambert, intelligence analyst at Red Canary, noted that the impact of ransomware of operations like Molson Coors can be much more damaging than it would be for other kinds of enterprises.

“For manufacturing organizations, ransomware poses a major threat to data and system availability,” he said via email. “Not only do corporate systems lose access to data, systems managing the manufacturing process may come to a halt as well, preventing the successful production and even delivery of products. This obviously presents a huge problem for companies that sell the products: Every hour their lines are down can mean major profit losses.”

This type of situation should be factored into an organization’s incident response and business-continuity plans, Capdevielle added: “Beyond a technical response, decision-makers need to be prepared to weigh the risks and consequences of alternate actions.”

Those actions could be both on the part of Molson itself — i.e., paying the ransom, which security experts tend to discourage — or further nefarious activity by attackers, such as dumping information obtained from the attack online or maintaining a persistent presence on a system.

Ransomware Attacks Ramp Up in 2021

Indeed, a number of ransomware groups have been active recently, with several large organizations falling victim and suffering disruption due to attack activity.

Several of these ransomware attacks have happened just within the last month. For instance, the Spanish State Employment Service (SEPE) was recently hit by a Ryuk ransomware attack, suspending its communications systems across hundreds of offices and delaying thousands of appointments. And, Kia Motors was disrupted by a ransomware attack in February for which known attackers DoppelPaymer took credit.

Meanwhile, WestRock – the second-largest packaging company in the U.S, that counts General Motors, Heinz and Home Depot as customers – also had its business disrupted by a ransomware attack in February. And Finnish IT giant TietoEVRY also was a victim of a ransomware attack last month.

Known ransomware groups that have been linked to recent attacks include the aforementioned DoppelPaymer and Ryuk; the Clop ransomware gang, which was tied to recent global zero-day attacks on users of the Accellion legacy File Transfer Appliance product; and HelloKitty, which is suspected to be behind the attack of CD Projekt Red — the videogame-development company behind Cyberpunk 2077 — which also happened in February.

Another potential culprit for the Molson Coors attack could be related to an onslaught of attacks by Chinese and other advanced persistent threat (APT) groups on recently patched Microsoft Exchange vulnerabilities. The flaws are under fire from at least 10 different APTs, all focused on compromising email servers around the world, with researchers observing a snowball of exploitation activity.

To avoid cyberattacks from taking down entire operations and causing significant business disruptions, Capdevielle made a number of cybersecurity best-practice suggestions, including strong segmentation, user training, proactive cyber-hygiene programs, multifactor authentication and the use of continuously updated threat intelligence, he said.

Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community:


Suggested articles