Japanese car manufacturer Honda has suffered a suspected ransomware attack that temporarily disrupted its global operations, including factory operations, the company confirmed earlier this month. The incident, which was likely the result of the Snake ransomware, comes as the latest in a long line of similar attacks in recent months aimed at extorting cash from high-profile multinationals, and sheds light on the importance of network segmentation, according to experts.
News of the security incident first broke on June 8, when Honda announced in a Tweet that they were “experiencing technical difficulties and are unavailable”, adding that they were “working to resolve the issue as quickly as possible”. The auto giant later revealed to the BBC that the origin of the technical difficulties had indeed been a cyber attack, writing in a statement to the broadcaster that “Honda can confirm that a cyber-attack has taken place on the Honda network.”
Honda added that the attack had had an impact “on production systems outside of Japan,” stating further that “work is being undertaken to minimise the impact and to restore full functionality of production, sales and development activities.”
According to researchers at Malwarebytes Labs, who later analyzed code samples posted online, the cyberattack on Honda was likely a ransomware attack, belonging specifically to the Snake ransomware family, also known as Ekans. According to Bleeping Computer, this relatively new variety of ransomware is reportedly unique in that it lays siege to an entire network, rather than to individual workstations.
The ransomware attack is likely to have a financial impact on Honda, which is one of the world’s largest auto manufacturers, employing over 200,000 staff on its payrolls in operations that span across the globe.
How Honda’s ransomware attack unfolded
According to Brett Callow, a threat analyst at security firm Emsisoft, the ransomware attack on Honda was launched after a sample of the file-encrypting malware was uploaded to VirusTotal, a malware analysis service which references an internal company subdomain called mds.honda.com.
“The ransomware will only encrypt files on systems capable of resolving this domain but, as the domain does not exist on the clear net, most systems would not be able to resolve it,” Callow explained to TechCrunch. “mds.honda.com may well exist on the internal nameserver used by Honda’s intranet, so this is a fairly solid indicator that Honda was indeed hit by Snake,” he added.
In this way, it is suspected that the cybercriminals were able to scramble internal files and hold them to ransom in exchange for cash or cryptocurrency, as is typical in a ransomware attack. However, Honda has so far denied that any of its data was successfully exfiltrated, claiming in a statement provided to the magazine Popular Mechanics that the suspected ransomware attack had not presented any evidence of loss of personally identifiable information.
Lessons to be learned in segmentation and preparedness
Honda is by no means the first corporation in recent months to feel the pinch of a ransomware attack. According to a May 2020 survey by cybersecurity firm Sophos, 51% of organizations have suffered at the whims of a ransomware attack over the past twelve months, with cybercriminals managing to encrypt company data in 73% of these cases.
According to Oz Alashe, chief executive at cyber risk firm CybSafe, the recent surge in remote working following the outbreak of COVID-19 has only further exacerbated the grim trend, with Honda possibly having been uniquely vulnerable to Snake due to a part of their workforce operating from home.
“It’s possible that this attack was connected to teleworking,” noted Alashe. “The coronavirus pandemic has created a sizable remote workforce which has increased businesses’ attack surfaces and heightened existing vulnerabilities. Organizations of all sizes should prioritize and adapt their cyber security strategies to reflect how their employees now work,” he said.
Alashe added that, despite the company’s best efforts, it is likely that Honda will have trouble making a swift recovery from the incident. “Honda’s global operations have already been disrupted, and while some systems appear to be back online, it’s likely that rolling back up to full operations will take some time,” he said.
“This attack comes at a challenging moment for the automaker, with the business already facing added financial pressure from coronavirus and reduced demand for its goods,” added Alashe.
Chris Kennedy, CISO at AttackIQ, largely agrees that the scale of the operational disruption could come to have a significant impact on Honda, pointing out his belief that the company should pay closer attention to segmenting its networks going forward.
“The fact that the ransomware affected global operations, inclusive of factory operations, is an indicator their network may not be segmented and isolated in a way to prevent ‘jumps’ between different business functions,” explained Kennedy, pointing out that manufacturers tend to “isolate the technology systems that build stuff to protect them from attacks like this”.
“One department getting hit with ransomware should not impact other core business processes,” he pointed out to this end.
Ultimately, according to Kennedy, the growing threat posed by ransomware should be matched by an equal response from companies in ensuring their sound risk management and cybersecurity preparedness. “Ransomware is a tremendously growing threat. More powerful variants and strains are constantly emerging, and there are more capabilities for it to be remotely (and confidentially) managed,” explained Kennedy. “The best way to defend against ransomware is readiness and timely response.”