Over the weekend, Honda—one of the largest vehicle manufacturers in the world—suffered a cyber attack which significantly impacts its production. While Japanese automobile and motorcycle production facilities resumed operations, those in Ohio, Turkey, and Brazil remain shut down due to the attack.
Reports suggest that Honda’s production facilities suffered from a ransomware attack that targets industrial control systems. Additionally, Honda reports that its Customer Service and Financial Services are unavailable due to the cyber attack.
Honda released a statement: “Honda can confirm that a cyber-attack has taken place on the Honda network…Work is being undertaken to minimize the impact and to restore full functionality of production, sales, and development activities.” According to the BBC, Honda also reported that the virus “spread” but did not elaborate.
Experts Comment on Honda Production Ransomware Attack
Paul Bischoff is a privacy advocate with Comparitech.
“Based on the limited information Honda has released about the attack, this looks like the result of ransomware. Given that many operations are shut down, but no data was stolen, ransomware is the most obvious culprit. Attackers might have tricked a Honda employee into clicking a link that downloaded a ransomware-infected file, for example. If Honda has proper backup systems in place, it should be able to mitigate the effect of the attack and resume operations with minimal downtime. Honda is a huge company, though, so any downtime incurs large losses even if the company chooses not to pay the ransom.”
Chris Clements is VP of Solution Architecture at Cerberus Sentinel.
“A well-known information security best practice is isolating any internet-accessible servers into a DMZ network that has extremely limited access to any other networks in an organization to prevent widespread damage in the event a single system is compromised. Honda’s statement that an internal server was externally attacked could mean that they did not take this step to prevent an attacker from propagating to other areas of the organization. Unfortunately, many applications that organizations rely on are often not architected to support this level of segmentation, so it’s possible that Honda had few other options in exposing their internal network to the internet.
This attack appears to be a ransomware attack associated with the SNAKE cybercrime group as samples of malware the check for an internal system name and public IP addresses related to Honda have surfaced publicly on the internet. The malware exits immediately if associations with Honda are not detected. This strongly implies that this was a targeted attack rather than a case of cyber criminals spraying out ransomware indiscriminately. More concerning is that the SNAKE ransomware team has historically attempted to exfiltrate sensitive information before encrypting their victim’s computers. This combined with the targeted nature of the malware’s “pre-checks” indicates that the attackers likely had access to Honda’s internal systems for some time before launching the ransomware’s encryption functions. Without confirmation from the SNAKE group or Honda, it is impossible to say how long the attackers were present or what sensitive data they may have been able to steal.”
Learn more about ransomware protection in our Endpoint Security Buyer’s Guide.
- Best Books for Defending the Digital Perimeter - September 14, 2021
- Apple Vulnerability Places All of Apple iOS at Risk - September 14, 2021
- CrowdStrike Releases 2021 Threat Hunting Report from Falcon OverWatch - September 13, 2021