Nitrogen Ransomware Gang Claims Major Breach of Foxconn's North American Facilities
The Nitrogen ransomware gang has claimed responsibility for a cyberattack on Foxconn's North American facilities, allegedly exfiltrating over 11 million files including sensitive client data from Apple, Nvidia, and Google.
Foxconn, the world's largest contract electronics manufacturer, has confirmed that a malicious cyberattack disrupted operations at several of its North American facilities. In a brief statement to Dark Reading, the company stopped short of calling the incident a ransomware attack and did not disclose the full scope or impact of the breach. However, the ransomware group Nitrogen has claimed credit for the attack on its leak site, according to threat intelligence firm Hackmanac.
Nitrogen claims to have exfiltrated more than 11 million files, totaling approximately 8 TB of data, from Foxconn's systems. The stolen data allegedly includes confidential instructions, internal project documentation, and technical drawings related to projects for major clients such as Intel, Apple, Google, Dell, and Nvidia. Hackmanac's CEO Sofia Scozzari told Dark Reading that sample files uploaded by Nitrogen include Foxconn financial records, engineering schematics, motherboard and PCB diagrams, server platform documentation, and manufacturing process documents. The exposed materials also reference confidential technical documentation associated with JPMorgan Chase, Google, Intel, NVIDIA, AMD, ASPEED, Renesas, Hewlett Packard Enterprise, and Tencent.
Foxconn's statement confirmed that its cybersecurity team activated a response mechanism and implemented operational measures to ensure continuity of production and delivery. The affected factories are reportedly resuming normal production. However, as of the latest reporting, Foxconn remains listed on Nitrogen's leak site, suggesting that negotiations may be ongoing or that the company has decided not to pay the ransom.
The method of initial access remains unclear, but previous investigations into Nitrogen-related campaigns have shown that the group uses SEO poisoning and fake software downloads to distribute malicious installers, often impersonating tools such as Advanced IP Scanner, AnyDesk, WinSCP, or Cisco AnyConnect.
This attack highlights the growing threat to the manufacturing sector, which has become a prime target for ransomware groups due to its central role in high-value supply chains and low tolerance for downtime. Data from Comparitech shows as many as 600 ransomware attacks on manufacturing companies so far this year, with median ransom payments hovering at $400,000. Arctic Wolf's 2026 Threat Report revealed manufacturing to be the most heavily targeted sector for ransomware, with nearly 70% more victims than the next most targeted industry.
The attack on Foxconn underscores the dual extortion risk faced by manufacturers: attackers can demand payment both to decrypt systems and to delete stolen data belonging to the company's high-profile clients. As supply chain dependencies deepen, such incidents are likely to increase, making robust cybersecurity defenses and incident response plans critical for manufacturers worldwide.