Security Researchers Say Ransomware Is Likely Culprit
Japanese auto giant Honda has confirmed that the company sustained a “cyberattack” earlier this week that has affected production operations at several of its global facilities, including plants in the U.S., Japan, Turkey and Italy.
On Monday, an internal server in Japan was attacked and malware spread through Honda’s computer network, leading to difficulties in accessing servers, email and other systems, a Honda spokesperson tells Information Security Media Group. Production systems outside Japan were also affected, the spokesperson noted.
While Honda has not released specific details of the security incident, the company does say that there’s no indication any data has been compromised at this point, and that an investigation remains ongoing.
“Work is being undertaken to minimize the impact and to restore full functionality of production, sales and development activities. At this point, we see minimal business impact,” a Honda spokesperson says.
At this time Honda Customer Service and Honda Financial Services are experiencing technical difficulties and are unavailable. We are working to resolve the issue as quickly as possible. We apologize for the inconvenience and thank you for your patience and understanding.
— Honda Automobile Customer Service (@HondaCustSvc) June 8, 2020
While Honda did not provide specifics of the attack, security analysts suspect the company was targeted by ransomware.
In a blog post, the Malwarebytes Threat Intelligence Team finds that Honda was likely targeted by Snake, a ransomware variant that security analysts began warning about earlier this year.
The Malwarebytes researchers point out that samples of the ransomware were uploaded to VirusTotal by a researcher, and a closer look at that code showed several artifacts that appear to corroborate the possibility that Snake was used against the company. For example, Honda appears to have had some systems using Remote Desktop Protocol access that may have been unsecured and exposed to the public internet, according to Malwarebytes (see: Top Ransomware Attack Vectors: RDP, Drive-By, Phishing).
“RDP attacks are one of the main entry points when it comes to targeted ransomware operations,” according to Malwarebytes. “However, we cannot say conclusively that this is how threat actors may have gotten in.”
In addition, the Malwarebytes team notes that Argentina-based electricity provider Edesur S.A. was hit with a similar attack on Monday that researchers believe could also be caused by Snake.
Brett Callow, a threat analyst with security firm Emsisoft, tells ISMG that the ransomware will only encrypt files of systems capable of resolving the internal Honda subdomain “mds.honda.com,” which was referenced in the samples uploaded to VirusTotal. As that domain doesn’t exist on the clear net, however, most systems would not be able to resolve it, he says.
“It doesn’t prove conclusively that Honda was hit by Snake, but it’s certainly a strong indicator,” Callow notes.
Snake, also known as Ekans, is designed to target the software used to run large-scale industrial facilities, according to the security firm Dragos, which published a report on the crypto-locking malware in January. Snake has the ability to encrypt and close down industrial control systems and appears to be similar to another ransomware variant called Megacortex (see: New Ransomware Targets Industrial Controls: Report).
In May, Snake ransomware reportedly infected the network of Fresenius, Europe’s largest private hospital operator and a major provider of dialysis products and services, according to security blogger Brian Krebs (see: Ransomware Slams Healthcare, Logistics, Energy Firms).
“The ransomware game of cat and mouse continues to evolve as cyber criminals adapt to security vendor updates,” says Shahrokh Shahidzadeh, CEO of cybersecurity firm Acceptto.
Shahidzadeh says that attacks appear to be more successful when leveraging a valid digital credential for planting the ransomware within the network. “Current binary approaches to authentication allow too many cybercriminals into networks, allowing them to effectively plant ransomware attacks,” he adds.
Operations at Honda factories at multiple locations around the world were impacted by the cyber incident. Production has resumed at most plants in the U.S., and the company says it is working toward the return to production of the auto and engine plants in Ohio.
Auto production ceased in Turkey on Monday during the investigations but resumed on Tuesday, according to the company spokesperson.
A spokesperson for Honda’s U.K. operations says that production at Honda’s Atessa factory in Italy are suspended as investigations continue, while Honda’s U.K. manufacturing facility based in Swinton is scheduled to resume production this week.
In Japan, there was some impact on a car inspection system on Monday morning, but the system was recovered by the afternoon and production has resumed, the spokesperson tells ISMG.
According to the Financial Times, two of Honda’s motorcycle factories in India and Brazil were also impacted and had not resumed operations as of Wednesday.
Honda has previously been hit with ransomware.
In June 2017, Honda stopped production at a Japanese vehicle plant after discovering that several plants across the world were affected by the global WannaCry outbreak (see: Honda Hit by WannaCry).
Managing Editor Scott Ferguson contributed to this report.