Car in garage of auto repair service shop showing ransomware attack on Japan automotive supplier

Japanese Automotive Suppliers Targeted as Denso Suffers Pandora Ransomware Attack and Bridgestone Compromised by LockBit

The world’s second-largest automotive supplier Denso Corporation reported that it was a victim of a ransomware attack.

The company said hackers accessed its subsidiary’s network in Germany on March 10, 2022. The impacted company, Denso Automotive Deutschland GmbH, handles engineering and sales in the country.

In a statement posted on March 14, the Toyota supplier apologized to its customers for any inconveniences caused after it disconnected the illegally accessed devices to minimize impact.

The group company added that it engaged cyber forensics experts to analyze the security incident.

Denso is a Fortune 500 company supplying automotive components for Toyota, Ford, Honda, Mercedes-Benz, Volvo, Fiat, and General Motors. With over 200 subsidiaries worldwide and 168,391 employees, the company made $44.6 billion in revenue in 2021.

Denso confirms a ransomware attack on a German subsidiary

The automotive supplier confirmed the ransomware attack adding that the incident would not interrupt its activities and all facilities would remain operational.

According to a statement posted online, Denso promptly responded by shutting down computers after detecting unauthorized third-party access to its network.

“After detecting the unauthorized access, DENSO promptly cut off the network connection of devices that received unauthorized access and confirmed that there is no impact on other DENSO facilities.”

Additionally, the automotive supplier engaged external security advisors to investigate and understand the incident.

Denso had also reported the ransomware attack to local investigative authorities and promised to harden its cyber defenses to prevent another incident.

It’s unclear how the hackers accessed the company’s network. However, a security researcher claims to have warned the automotive supplier about alleged stolen credentials being auctioned on the dark web.

The ransomware attack is the second to hit the company, according to the Asahi Shimbun news agency. In December 2021, Denso suffered a Rook ransomware attack in Mexico, leaking 1.1 terabytes of data.

Pandora leaks data stolen from Japanese automotive supplier Denso

A new ransomware gang Pandora took responsibility for the Denso ransomware attack, according to the DarkTracer web monitoring group.

Additionally, Pandora threatened to leak the automotive supplier’s trade secrets and transaction information, including invoices, purchase orders, automotive parts technical diagrams, and emails on its data leak site. The ransomware group claims to have stolen 1.4TB of data from the automotive supplier during the ransomware attack last week.

Darktracer suggests that Denso has compromised other organizations in Japan. Other potential victims in Japan include Global Wafers, according to DarkFeed.

Though relatively new, cybersecurity experts believe that Pandora is the rebranding of the Rook ransomware gang. Google’s virus detection platform VirusTotal detects Pandora as Rook, derived from Babuk ransomware, based on leaked source code.

The group appends a ‘.pandora’ extension to encrypted files after a successful ransomware attack. Additionally, it leaves a ‘Restore_My_Files.txt’ file on every encrypted directory. The text file contains an email and instructions to recover encrypted files.

Is the Japanese automotive industry under attack?

The Denso ransomware attack occurred hot on the heels of another compromise on a Japanese automotive supplier Bridgestone.

Bridgestone said third-party unauthorized access affected its computers in the Americas on Feb 27, prompting it to shut down the computer network and production at its factories in North and Middle America.

“Out of an abundance of caution, we disconnected many of our manufacturing and retreading facilities in Latin America and North America from our network to contain and prevent any potential impact,” Bridgestone told news outlets.

Subsequently, LockBit 2.0 ransomware group took responsibility for the ransomware attack. LockBit is notorious for demanding huge ransoms. The group reportedly demanded a $10 million ransom after the Accenture security incident.

Similarly, Japanese automotive components supplier Kojima Industries was hit by a ransomware attack in February. The incident forced production suspension for a day at Toyota’s 14 facilities, reducing the automaker’s production by 5% or 13,000 units.

The Japanese auto industry, specifically Toyota Motor Corp., seems to be the target of recent ransomware attacks targeting third-party suppliers in an already strained supply chain.

Tom Garrubba, VP at Shared Assessments believes that manufacturers should reassess their security controls in the era of third-party supply chain attacks.

“As this is the second of Toyota’s suppliers to be targeted by threat actors, perhaps it’s time for Toyota to reevaluate its once lauded strategy and RESCUE (REinforce Supply Chain Under Emergency) supply chain database system – which identifies parts and vulnerability information of over 650,000 supplier sites – to perhaps consider evaluating third-party risk due diligence with respect to strong cyber hygiene,” said Garrubba.

Japan’s National Police Agency reported 12,275 cyber-related incidents in 2021, mostly targeting the country’s manufacturing industry.

Chris Clements, VP of Solutions Architecture at Cerberus Sentinel, said that it was not enough for organizations to focus on their own cybersecurity without considering interconnected businesses.

“This attack highlights how important it is that all of an organization’s business units are equally prepared to fend off a cyberattack,” Clements said. “Cybercriminals will always exploit the weakest link, and in today’s interconnected networks can do significant damage from compromising even a small business unit.”