Toyota dealership logo illuminated in the evening against a dark blue sky showing cyber attack impact on supply chain

Toyota’s Supply Chain Cyber Attack Stopped Production, Cutting Down a Third of Its Global Output

Toyota Motor suspended operations in 28 production lines across 14 plants in Japan for at least a day after a key supply chain player was hit by a suspected cyber attack.

The incident affected Toyota’s plastic parts and electronic components supplier Kojima Industries on February 24.

The firm said it discovered a malware infection and a “threatening message” on rebooting after a file error on its server. The nature of events suggests that Kojima Industries was likely a victim of a ransomware attack.

Cyber security experts say the incident highlighted increased supply chain vulnerability to targeted cyber attacks.

Toyota acknowledged supply chain cyber attack that disrupted manufacturing operations

Toyota issued a statement acknowledging a “system failure at a domestic supplier” and subsequent suspension of operations at “all 28 lines at 14 domestic plants” on March 1. The output accounts for a third of global Toyota production, exacerbating the current global supply chain crisis.

However, Toyota promised to make an effort to deliver vehicles as soon as possible by coordinating with its suppliers.

Nikkei Asia reported that “many of the roughly 400 tier 1 suppliers that Toyota deals with directly are connected to the automaker’s kanban just-in-time production control system, which allowed the problems at Kojima Industries to spill over to Toyota.”

Consequently, Toyota halted production to prevent longer-term damage and prioritized inspection and recovery of the system.

Was Russia involved in Toyota’s supply chain cyber attack?

Kojima Industries also acknowledged suffering a “suspected cyber attack” but did not disclose the identity of the perpetrators, although the timing is significant.

Japan had pledged a $100 million emergency aid to Ukraine and approved the blocking of some Russian banks from the SWIFT global payment system.

Japanese Prime Minister Fumio Kishida said his government would investigate the possibility of Russian involvement. However, no evidence currently connects Moscow to the attack.

“Revenge-based cyber attacks are nothing new, but we continue to see nation-state attacks, if indeed Russia is the culprit, gain momentum beyond intellectual property theft to be used to actively disrupt infrastructure and economies,” said Saryu Nayyar, CEO and Founder at Gurucul.

“Russia especially has been at the forefront of using advanced threat tactics and both internal and external threat actors to further its political objectives. However, the reality that organizations face is that Russian interests extend to foreign businesses and they must take steps to improve their threat detection and response programs.”

However, the cyber attack could also be the handiwork of a profit-motivated cybercrime gang. Kojima Industries has not disclosed the contents of the hackers’ message or any ransom demands.

Similarly, the supplier withheld information regarding the malware variant deployed during the attack, although speculations suggest hackers leveraged an Emotet variant.

The Toyota production strategy is vulnerable to supply chain attacks due to dependence on Just-In-Time manufacturing that avoids stockpiling inventory. This strategy is traditionally a big cost-saver but extremely risky in the era of targeted supply chain cyber attacks.

Kojima’s cyber attack slashed Toyota’s global production by a third

Toyota has already warned that the cyber attack would reduce production by 5% or 13,000 units, equivalent to a third of the global output. The cyber attack also affected Hino and Daihatsu Motors.

Craig McDonald, VP of Product Management at BackBox, said the incident demonstrated how a targeted cyber attack could extend beyond its target.

“According to Gartner, IT system downtime causes an average loss of $300,000 per hour,” McDonald said. “Enterprises familiar with and exercising the elements of disaster recovery will be able to drastically decrease this downtime.”

McDonald suggested taking a “complete inventory of all applications, software, and hardware; outlining specific individual responsibilities in the event of a disaster and ensuring those individuals understand their responsibilities.”

He also recommended having alternative communication methods, regularly reviewing these plans, and leveraging network automation to remove complexity from error-prone management tasks.

While Kojima cyber attack did not affect the physical quality of the products, it shut down communication channels preventing crucial production management functions.

Oliver Pinson-Roxburgh, CEO of Bulletproof and Defense.com described the attack as a “textbook case of supply chain attack.” He noted that it was barely enough for businesses to focus on their own cybersecurity without considering every endpoint because 40% of cyber attacks occur indirectly via the supply chain.

Pinson-Roxburgh added that many organizations do not patch critical vulnerabilities on time, exposing third-party suppliers to potential cyber attacks.

“This incident exemplifies how intertwined the two are, and how a successful attack on the software supply chain can have negative effects on the output of physical goods produced,” said Hank Schless, senior security solutions manager and mobile security specialist at Lookout.

Japan is increasingly targeted by state-sponsored and financially-motivated cyber attacks

Koichi Hagiuda, the Minister of Economy, Trade, and Industry of Japan, said the government was monitoring the situation and was worried about small and mid-level contractors. However, government critics point to a lack of a focused approach to protect the country’s critical supply chains.

Japan’s companies are no strangers to state-sponsored or financially-motivated cyber attacks. Honda Motor halted production in June 2020 after experiencing a likely cyber attack. Japanese technology firm Olympus also suffered two successive cyber attacks within a month on its EMEA and Americas segments in 2021.