Honda Production Halted By Ransomware Cyberattack

Honda Production Halted By Ransomware Cyberattack

Over the weekend, Honda—one of the largest vehicle manufacturers in the world—suffered a cyber attack which significantly impacts its production. While Japanese automobile and motorcycle production facilities resumed operations, those in Ohio, Turkey, and Brazil remain shut down due to the attack. 

Reports suggest that Honda’s production facilities suffered from a ransomware attack that targets industrial control systems. Additionally, Honda reports that its Customer Service and Financial Services are unavailable due to the cyber attack. 

Honda released a statement: “Honda can confirm that a cyber-attack has taken place on the Honda network…Work is being undertaken to minimize the impact and to restore full functionality of production, sales, and development activities.” According to the BBC, Honda also reported that the virus “spread” but did not elaborate. 

Experts Comment on Honda Production Ransomware Attack

Paul Bischoff

Paul Bischoff is a privacy advocate with Comparitech.

“Based on the limited information Honda has released about the attack, this looks like the result of ransomware. Given that many operations are shut down, but no data was stolen, ransomware is the most obvious culprit. Attackers might have tricked a Honda employee into clicking a link that downloaded a ransomware-infected file, for example. If Honda has proper backup systems in place, it should be able to mitigate the effect of the attack and resume operations with minimal downtime. Honda is a huge company, though, so any downtime incurs large losses even if the company chooses not to pay the ransom.”

Chris Clements

Chris Clements is VP of Solution Architecture at Cerberus Sentinel.

“A well-known information security best practice is isolating any internet-accessible servers into a DMZ network that has extremely limited access to any other networks in an organization to prevent widespread damage in the event a single system is compromised.  Honda’s statement that an internal server was externally attacked could mean that they did not take this step to prevent an attacker from propagating to other areas of the organization.  Unfortunately, many applications that organizations rely on are often not architected to support this level of segmentation, so it’s possible that Honda had few other options in exposing their internal network to the internet.

This attack appears to be a ransomware attack associated with the SNAKE cybercrime group as samples of malware the check for an internal system name and public IP addresses related to Honda have surfaced publicly on the internet.  The malware exits immediately if associations with Honda are not detected.  This strongly implies that this was a targeted attack rather than a case of cyber criminals spraying out ransomware indiscriminately.  More concerning is that the SNAKE ransomware team has historically attempted to exfiltrate sensitive information before encrypting their victim’s computers.   This combined with the targeted nature of the malware’s “pre-checks” indicates that the attackers likely had access to Honda’s internal systems for some time before launching the ransomware’s encryption functions.  Without confirmation from the SNAKE group or Honda, it is impossible to say how long the attackers were present or what sensitive data they may have been able to steal.”

Learn more about ransomware protection in our Endpoint Security Buyer’s Guide

Follow me

Ben Canner

Editor, Cybersecurity at Solutions Review
Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner
Follow me