Update Regarding Ransomware Event

FAQ:

This page is current as of 5/1/2023 at 8:00 AM (US Eastern Standard Time).

1. What happened?

  • MKS Instruments (including our brands Newport, Ophir, Spectra-Physics and ESI) recently experienced a ransomware event affecting some of our systems.
  • MKS Instruments took immediate action upon detecting the incident to fully contain it.

2. What is the status of your manufacturing operations and field service?

3. Is it safe to open emails from MKS or to communicate with them via Microsoft Teams?

  • Yes. Based upon our forensic review, we are confident that our Office 365 applications, including email and Teams, were not affected by the ransomware event and are safe to use. This conclusion is based on a post-attack investigation by our outside forensic experts and cybersecurity engineers, which included an analysis of audit logs for our Office365 environment. The forensic experts confirmed that the threat actor did not attempt to access Office365 either before or during the attack against MKS. In addition, forensic analysis of machines on the MKS network revealed no findings indicating the threat actor attempted to access, or accessed, Office365 accounts. We utilize multi-factor authentication and execute a global password reset to mitigate the possible loss of credentials. All inbound and outbound email content is scanned with Proofpoint email gateway filtering software for malicious attachments.

4. Is it safe for MKS salespersons and service engineers to use their personal computers at customer locations and connect with order management portals?

  • We have authorized our sales and customer service teams to resume use of their PCs at our customer sites and to access our customers’ order-management portals. We want to assure you that prior to bringing MKS PCs to customer sites and connecting to customer equipment (locally or remotely), networks or Wi-Fi, MKS took the necessary steps to ensure our computers were safe. If you have any questions or concerns, please contact your local sales representative.

5. Are you processing Return Material Authorizations (RMAs)?

  • Yes, we are processing RMAs. Please follow the standard process for submitting an RMA. If you have questions, please contact your local sales representative.

6. Which operations were affected?

  • The incident affected operations at the Company’s Vacuum Solutions and Photonics Solutions Divisions, including our ability to process orders and ship products. However, virtually all of our manufacturing operations are functioning back to pre-incident levels.
  • The incident did not impact operations at our Materials Solutions Division.

7. What steps have you taken so far and are you working with outside experts?

  • On February 3, 2023, we took immediate action to activate our instant response and business continuity protocols to contain the incident.
  • In addition, we notified the appropriate authorities and engaged leading cybersecurity and forensic experts to assist us with responding to the incident and enhancing the security of the affected systems.
  • Virtually all of our manufacturing operations are functioning back to pre-incident levels.

8. What steps have you taken to enhance the security of your IT infrastructure?

  • We have engaged security specialists to assist in the review, assessment and remediation of our information technologies controls, are strengthening access requirements and unauthorized access detection and are implementing procedures to facilitate more timely restoration of our financial reporting systems.

9. How will you keep us informed about the incident going forward?

10. How can I submit a question?

11. Is there a Cyber Incident Summary available?

  • Yes, it is available here.