Brewing chaos: How a ransomware group hit Asahi

When one of the most recognized breweries in the world brings production to a screeching halt, people notice. Mid-way through 2024, Asahi was struck by a crippling cyber attack that disrupted manufacturing operations and delayed supply across several regions. That’s right—no beer for the thirsty masses. 

The group behind the incident? The Qilin (AKA Kadin) ransomware-as-a-service (RaaS) affiliate network. This is a sprawling ecosystem notorious for credential theft, lateral movement, and mass encryption.

At first glance, this might look like just another ransomware event. But as the Dragos team broke down during Hack The Box’s ICS in the Crosshairs webinar, this attack was a blueprint for how modern ransomware operators are blending IT and OT disruption to maximize impact.

WATCH THE WEBINAR NOW

A closer look at Qilin’s brewery attack chain

In the webinar, Giacomo Bertollo, Head of Product Marketing at HTB, and Dragos analysts Gil Garcia, Tim Vernick, and Joseph Lee explore how industrial control system (ICS) networks are no longer the isolated, analog environments of the past. 

Digitization has merged enterprise systems (E.g., ERP and MES) directly with production floors, widening the attack surface dramatically as a result. To that end, Qilin’s operation danced to a now-familiar tune:

1. Initial access: Most likely through compromised VPN credentials or a phishing-derived credential reuse, consistent with Qilin’s prior campaigns.

2. Execution and lateral movement: Automated scripts and living-off-the-land tools deployed ransomware across connected servers and control systems.

3. Defensive evasion: Logs deleted, AV disabled, and in some cases systems were forced into Safe Mode to squash defenses.

4. Collection and exfiltration: Approximately 9,300 files (27 GB) were claimed on Qilin’s leak site, suggesting deliberate data theft before encryption.

5. Impact: Asahi’s operations and order fulfillment ceased, showing how even partial OT disruption can cascade through a global supply chain.

Turning insight into action

Hack The Box and Dragos joined forces to create the Alchemy Pro Lab, a gamified industrial environment replicating a brewery plant, specifically to help defenders and operators test relevant scenarios in a safe sandbox. 

For blue teams, HTB Threat Range also offers live-fire SOC and DFIR simulations modeled on real ransomware campaigns like this one.

DISCOVER THREAT RANGE

If you work in OT security and haven’t stress-tested your detection and response under realistic pressure, you’re already behind the curve.

Final thoughts on the Asahi breach

The Asahi incident underlined a simple truth: ransomware actors don’t need to touch a PLC to cripple an industrial organization. Interrupting the digital systems that tell a plant what to produce is enough to stop the line cold, and that operational impact is felt in our day-to-day lives. 

ICS security isn’t about being in state of near-constant paranoia. It’s about precision, preparation, and practice. And the defenders who treat their response plans like production lines, tested, refined, and repeatable, are the ones who’ll keep the taps running.

WATCH THE RECORDING