Benjamin Lim Enterprise Sales Director

On the morning of May 1, 2026, workers arriving at Foxconn’s Mount Pleasant, Wisconsin facility were handed paper timesheets.

Not because of a power outage. Not a fire drill.

The entire network was down. Wi-Fi was gone by 7:00 AM. Core plant infrastructure was dark by 11:00 AM. The entire production floor, dedicated to building AI servers for Apple, Google, NVIDIA, Intel, and Dell, was reduced to pen and paper before most people had finished their morning coffee.

By May 11, the Nitrogen ransomware group had published Foxconn on its dark web leak site and claimed it had walked out with eight terabytes of data. Over 11 million files. Assembly blueprints. Data center topology maps for Google and Intel. Hardware schematics for next-generation AI infrastructure. A second facility in Houston, Texas, was also reportedly hit.

This was not a smash-and-grab. This was a deliberate, patient, identity-driven attack—and it followed a playbook that identity defenders need to understand cold.


Why does ransomware hit identity first?

In Semperis’ Ransomware Risk Report, 78% of respondents revealed they were targeted by ransomware in the previous 12 months. The most common entry point? The identity system.


83% of ransomware attacks on global manufacturing organizations compromised identity infrastructure.

Source: Semperis, 2025 Ransomware Risk Report


For experienced cybersecurity practitioners and incident responders, such statistics are not surprising. The identity infrastructure is foundational to every other application and system in the organization. When attackers infiltrate Active Directory (AD), Entra ID, or Okta, they can establish persistence, move laterally, and elevate privileges for greater reach across the entire environment.

The Nitrogen attack followed a well-documented pattern in which a compromised credential opens the door to elevated privileges, domain access, and the keys to backup systems.


How does the identity-first kill chain work?

In identity-first ransomware attacks, the entry is almost always the same: a compromised credential or exposed endpoint. Sometimes a phishing email aimed specifically at IT administrators—people with elevated privileges, domain access, and the keys to backup systems. They’re not after a regular user’s laptop. They’re after accounts that can do things.

This pattern is consistent with what Semperis threat researchers have observed across dozens of ransomware investigations: Active Directory is not just a target in these attacks. It is the attack surface.

  1. Initial access via credential abuse. Compromised credentials—obtained through phishing or purchased from initial access brokers—often provide an initial foothold. No exploit is required. Just a valid username and password.
  2. Privilege escalation through ad misconfigurations. Once inside, attackers look for the low-hanging fruit that exists in almost every enterprise AD: Kerberoastable service accounts with excessive privileges, unconstrained delegation, stale admin accounts, ACL misconfigurations that allow a standard user to reset a privileged account’s password.

    For manufacturers like Foxconn, an expanded Smart Manufacturing network—IoT-integrated, cloud-connected, built out at pace—is exactly the kind of environment where such misconfigurations accumulate invisibly.
  3. Lateral movement and domain dominance. With a foothold and an escalation path, attackers move toward the domain. They seek highly privileged targets such as Domain Admins, Enterprise Admins, and accounts with DCSync rights. Once they have those, they own the environment. Every system trusting that AD instance is now compromised.
  4. Backup identification and staging. Before triggering any visible disruption, the attacker locates and neutralizes backup infrastructure. In Foxconn’s 2020 breach, DoppelPaymer deleted 30TB of backup data. Attackers like Nitrogen may use a more surgical approach, quietly staging data and using it as leverage in their negotiations. But the intent is the same: make recovery as painful as possible.
  5. Exfiltration, then extortion. Eight terabytes of data doesn’t move overnight. Most ransomware attacks require weeks of patient, low-and-slow exfiltration—exactly the kind of activity that blends into normal network noise if you’re not watching identity behavior closely.

Once inside the identity system, attackers don’t rush. They spend weeks mapping the environment, identifying domain controllers, locating backup servers, staging exfiltration quietly in the background. By the time anyone notices something is wrong, the data is already gone. The encryption, when it finally comes, is almost a formality. The real leverage was the exfiltration.


What identity-first defenses can manufacturers implement now?

As the Semperis ransomware study reports, many manufacturing organizations understand that identity security and resilience are foundational to cyber and business resilience, and 90% of global respondents have implemented an Identity Threat Detection and Response (ITDR) strategy.

However:

  • Just 65% of manufacturers include AD-specific recovery procedures in their disaster recovery plan
  • Only 61% maintain dedicated, AD-specific backup systems

Both are essential for effective ITDR. So how can your organization successfully combat identity-related ransomware threats to build operational resilience?

Let’s walk through what you can do to defend your identity environment—before, during, and after a cyberattack—and where specific gaps may exist in complex manufacturing environments like Foxconn’s.


Start now: See what the attacker sees—before they do

Two community tools from Semperis provide a way for you to baseline your security posture immediately—at no cost.

A joint report released by the Five Eyes Alliance—including the Australian Cyber Security Centre, the U.S. National Security Agency, and others—recommends Purple Knight, Semperis’ free AD security assessment tool, as an effective prevention and detection tool that enables you to monitor your identity security posture over time. And it’s completely free.

Purple Knight runs an agentless scan across your Active Directory, Entra ID, and Okta environments and scores against over 218 security indicators across multiple categories:

  • AD Delegation
  • Account Security
  • AD Infrastructure
  • Entra ID
  • Group Policy Security
  • Hybrid Security
  • Kerberos Security
  • Okta

In a typical enterprise environment, the tool surfaces misconfigurations and vulnerabilities that have been sitting undetected for years. Then, it provides expert guidance to help you prioritize the highest-risk threats and systematically address them.

Another free tool, Forest Druid, further extends your identity security posture visibility by mapping Tier 0 attack paths—the routes an attacker can take from a compromised standard user account all the way to Domain Admin or domain controller compromise. This free tool answers the question most organizations can’t answer on their own:

“If an attacker gets in here, how many hops does it take to own our domain?”

In an environment where a manufacturing floor network, corporate IT, and AI server assembly infrastructure are all interconnected, the number of unintended Tier 0 paths is almost certainly significant. Forest Druid maps them visually, prioritizes them by risk, and gives defenders a remediation roadmap—before an attacker finds those paths themselves.


Improve identity system visibility to close the dwell-time window

The weeks or months that an attacker spends inside a network before triggering disruption is a window of opportunity for defenders. During that dwell time you can catch them—but only if you’re watching the right signals.

Standard SIEM tools log events. They don’t understand what those events mean in the context of your hybrid Active Directory environment. An attacker performing a DCSync operation, creating a Golden Ticket, modifying AdminSDHolder, or quietly adding a user to a privileged group will generate logs, but most SIEMs won’t surface these as high-priority alerts because they don’t have the AD-specific intelligence to know what they’re looking at.

Semperis Directory Services Protector (DSP) monitors the identity infrastructure continuously, correlates changes against known attack patterns, and—critically—provides automatic rollback of unauthorized changes in real time.

That means that if an attacker adds a rogue account to Domain Admins at 2:00 AM, DSP doesn’t just alert. It rolls the change back before the account can be used.


Be ready for the questions nobody wants to answer

Here’s a question every CISO should be able to answer before an incident, not during one:

“If our domain controllers are down right now, how long does it take us to recover Active Directory to a known-clean state—and are we confident the backup we’re recovering from isn’t already compromised?”

Most organizations cannot answer this with confidence. Most haven’t tested it. And in a ransomware scenario, recovering from a compromised backup is not recovery—it’s reinstating the attacker’s foothold.


Be confident you can recover to clean—not just fast

Manufacturing respondents to Semperis’ ransomware study reported that when ransomware attacks were successful, they were hit not just once, but multiple times over the course of days or weeks:

  • 39% were attacked two times.
  • 25% were attacked three times.
  • 8% were attacked four or more times.

These repeat attacks highlight the fact that restoring backups where the attacker still lurks does you no good. You must ensure you can recover to a trusted, clean state.

Semperis Active Directory Forest Recovery (ADFR) automates the AD forest recovery process, eliminating the manual, error-prone steps in the Microsoft recovery guide that can take days and introduce human error under pressure. More important, ADFR recovers to a malware-free state. It doesn’t just restore the last backup; it ensures the restored environment is clean.

Foxconn’s network went dark on May 1. By May 11—ten days later—the company was still describing production as in “gradual restoration.” That timeline is not unusual for organizations recovering AD manually. With ADFR, that recovery window compresses from days to hours.


Test your recovery before you need it

Even if you have backups and a recovery plan in place—how do you know it will work when the worst happens?

According to Semperis’ State of Enterprise Crisis Readiness study:

  • 96% of global organization say they have a cyber crisis response plan
  • But—71% still experienced business-stopping cyber incidents

The problem is not that these organizations lack effort or talent. It’s that they lack a way to ensure their response is effective.

Semperis Ready1 is an enterprise crisis management platform that functions as your command-and-control center before, during, and after a cyber incident. It’s the place your teams can build your cyber crisis response plans, test your recovery readiness before you need it, validate backup integrity, identify gaps in runbooks—and ensure that when you do need to recover, you’re not figuring it out under pressure at 2:00 AM while production is down.


The bigger picture: How can manufacturing build identity resilience?

The Foxconn breach is significant not just because of its scale but also because of what was stolen.

Data center topology maps for Google and Intel infrastructure
Assembly specs for AI hardware
Intellectual property that took years and hundreds of millions of dollars to develop

All leaving the building over weeks of quiet exfiltration while no one was watching the domain.

The manufacturing sector continues to treat Active Directory as an IT problem rather than an operational risk. In an Industry 4.0 environment—where the domain controller is the trust anchor for everything from the factory floor to the cloud—that framing is dangerously outdated.

Attackers understand this: The identity layer is the primary attack surface.

The question for every CISO in manufacturing, critical infrastructure, and the technology supply chain is not just whether your operational systems are hardened. It’s whether, when an attacker gets in, your identity defenses will stop them—or hand them everything.


Further reading