ENGlobal faces cybersecurity breach, leads to ‘limited’ access to essential business operations

ENGlobal Corporation, an engineering and automation services provider that works with the U.S. energy sector and federal government, reported in a filing with the U.S. Securities and Exchange Commission (SEC) that on Nov. 25, 2024, it became aware of a cybersecurity incident. An initial investigation indicated that a threat actor had unlawfully accessed the company’s information technology (IT) system and encrypted certain data files. However, the filing did not specify the number of affected systems, whether the company’s operational technology (OT) systems were impacted, or provide details about the attack vector used by the hacker.

The ENGlobal cybersecurity incident is the latest in a series of attacks targeting the energy sector. Last month, Texas-based oilfield services supplier Newpark Resources identified a ransomware attack involving unauthorized access to its internal systems, while Halliburton reported in August that a cyberattack forced it to shut down certain systems.

“Upon detecting the unauthorized access, the Company immediately took steps to contain, assess and remediate the cybersecurity incident, including beginning an internal investigation, engaging external cybersecurity specialists, and restricting access to its IT system,” Darren Spriggs, ENGlobal CFO, disclosed in the Tuesday filing. “As a result of these and other measures, and while the investigation and remediation efforts remain ongoing, access to the Company’s IT system is limited to essential business operations.” 

Spriggs noted that the timing of the restoration of full access to the company’s IT system remains unclear as of the date of this filing. 

He added that the Houston, Texas-headquartered company has not yet determined whether the cybersecurity incident is reasonably likely to materially impact the company’s financial condition or results of operations. 

Industrial Cyber has contacted ENGlobal for more information on the cybersecurity incident and will update as the company responds.

ENGlobal offers project solutions primarily to the energy industry through its Commercial and Government Services segments. The Commercial segment handles engineering and automated control systems, while Government Services focuses on automation and instrumentation for the U.S. defense industry.

Commenting on the ENGlobal cybersecurity incident, Chris Grove, director of cybersecurity strategy at Nozomi Networks, wrote in an emailed statement that despite the unfortunate circumstances, this organization may consider itself fortunate to have only fallen victim to a ransomware attack, potentially averting a far more serious threat. 

Grove observed that this organization services critical national security components such as the Department of Defense, NASA, the Department of Energy, and others. Additionally, they play an important role in critical infrastructure and industries such as oil & gas, chemicals, pipelines, energy production, manufacturing, and more.

“Although being infiltrated by a skilled cybercriminal gang is serious, it could have been much worse. Nation-state threat actors are actively penetrating critical infrastructure and lurk in the systems, undetected, lying in wait,” according to Grove. “Cyber espionage operations are gaining access to national security data and intellectual property, stolen in huge quantities and is being actively leveraged against the interests of their adversaries.  A company such as this victim, which services so many critical parts of society, has the potential to be a launching point for these types of offensive cyber operations.”

He added that had other threat actors been involved instead of profiteers seeking ransom, the outcome could have been a major catastrophe. “I’m confident that the victim organization will identify where their defenses were weak and enhance their security posture, but I’m also confident that their customers and partner organizations will seek assurances on potential impacts to their infrastructure, proper containment, and preventing future incidents.”

Texas-based oilfield services supplier Newpark Resources detected last month a ransomware attack by an unauthorized party accessing internal systems. The company activated its cybersecurity response plan and began investigating with external advisors to assess and contain the threat. However, the ransomware incident disrupted access to some of the company’s information systems and business applications, but manufacturing and field operations continued using downtime procedures.

In August, energy industry services Halliburton announced that a cyberattack compelled it to shut down some of its systems. These recent cyber attacks have once again served as yet another wake-up call for the critical infrastructure industry. These breaches involve unauthorized access by third parties, oftentimes, leading to operational disruptions, system shutdowns, and the activation of incident response plans.