Experts Insight On Honda Confirms Its Network Has Been Hit By Cyberattack

Honda has confirmed it has been hit with a cyber attack which has impacted some of its operations, including production systems outside of Japan. “Honda can confirm that a cyber attack has taken place on the Honda network,” a spokesperson said. “We can also confirm that there is no information breach at this point in time”. The company added: “Work is being undertaken to minimize the impact and to restore full functionality of production, sales and development activities. At this point, we see minimal business impact”. The company said it had experienced difficulties accessing servers, email and internal systems and that there was also an impact on production systems outside of Japan. It said its “internal server” was attacked externally and a “virus” had spread – but that it would not disclose any further details for security reasons.

Experts Comments

June 10, 2020
Professor Oleg Kolesnikov
VP of threat research
Securonix
In our experience, one of the things that sets the "snake/ekans" malicious threat actor reportedly involved in the Fresenius ransomware attack apart is a relatively high amount of manual effort/targeting typically involved in the operator placement activity, which can sometimes enable them to have a bigger impact on the victims. With some of the recent attacks observed, it appears that the malicious threat actors are expanding the list of targets. While the attack behaviours used by the.....Read More
In our experience, one of the things that sets the "snake/ekans" malicious threat actor reportedly involved in the Fresenius ransomware attack apart is a relatively high amount of manual effort/targeting typically involved in the operator placement activity, which can sometimes enable them to have a bigger impact on the victims. With some of the recent attacks observed, it appears that the malicious threat actors are expanding the list of targets. While the attack behaviours used by the malicious ransomware payload itself are fairly trivial, the golang-based payload encryption process, and also the list of processes that are terminated to maximise the ability of the ransomware to encrypt sensitive data and impact the targets appear to be longer that some of the other ransomware instances observed, and some of the past instances of the malware family also included impacting processes from the ICS/SCADA/OT environments that are often found in large industrial operations, likely the case with the recent Honda breach, which is relatively uncommon for ransomware.  Read Less
June 10, 2020
Josh Smith
Security Analyst
Nuspire
EKANS (SNAKE) Ransomware was identified around the end of 2019 and while the ransomware itself wasn’t very sophisticated, what made it interesting was that it had additional functionality programmed into it to forcibly stop processes, especially items involving Industrial Control Systems (ICS) operations. A sample of SNAKE was uploaded to VirusTotal from Japan that attempts to connect to mds[.]honda[.]com. This would appear to be an internal domain for Honda. Furthermore, if a DNS request.....Read More
EKANS (SNAKE) Ransomware was identified around the end of 2019 and while the ransomware itself wasn’t very sophisticated, what made it interesting was that it had additional functionality programmed into it to forcibly stop processes, especially items involving Industrial Control Systems (ICS) operations. A sample of SNAKE was uploaded to VirusTotal from Japan that attempts to connect to mds[.]honda[.]com. This would appear to be an internal domain for Honda. Furthermore, if a DNS request to the internal domain doesn’t resolve, the sample wouldn’t execute. This is similar to the attack on Fresenius who fell victim to SNAKE, where a DNS query to ads[.]fresenius[.]com resolved to a private IP.  Read Less
June 10, 2020
Chloé Messdaghi
VP of Strategy
Point3 Security
We’ve all seen global corporations put strong security stacks in place and even so, fall victim to ransomware, and a major take-away is: train and invest in your security team. It’s more important than ever to prevent security team burnout, which can easily happen given talent shortages, skills gaps and the unique pressures the current pandemic is presenting. That’s why many organizations are turning to gamified training platforms to help keep security teams engaged and equipped. The.....Read More
We’ve all seen global corporations put strong security stacks in place and even so, fall victim to ransomware, and a major take-away is: train and invest in your security team. It’s more important than ever to prevent security team burnout, which can easily happen given talent shortages, skills gaps and the unique pressures the current pandemic is presenting. That’s why many organizations are turning to gamified training platforms to help keep security teams engaged and equipped. The alternative consequences, to the organization and to CISO, make this a smart investment.  Read Less
June 11, 2020
Chris Kennedy
CISO and VP of Customer Success
AttackIQ
It appears Honda has suffered a business crippling SNAKE ransomware attack. The international automotive giant was also impacted by WannaCry in 2017. It’s concerning that Honda seems to not have made significant changes to their security program to address like threats – SNAKE and WannaCry share some principles of effects. This strain of ransomware doesn’t steal data, so Honda customer information likely isn’t at risk, but given Honda’s financial presence, they will likely pay a.....Read More
It appears Honda has suffered a business crippling SNAKE ransomware attack. The international automotive giant was also impacted by WannaCry in 2017. It’s concerning that Honda seems to not have made significant changes to their security program to address like threats – SNAKE and WannaCry share some principles of effects. This strain of ransomware doesn’t steal data, so Honda customer information likely isn’t at risk, but given Honda’s financial presence, they will likely pay a hefty ransom letter or hire a third-party incident response team to help with the cleanup. The fact that the ransomware affected global operations, inclusive of factory operations, is an indicator their network may not be segmented and isolated in a way to prevent “jumps” between different business functions. For example, manufacturing organizations usually isolate the technology systems that build stuff to protect them from attacks like this. One department getting hit with ransomware should not impact other core business processes. Ransomware is a tremendously growing threat. More powerful variants and strains are constantly emerging, and there are more capabilities for it to be remotely (and confidentially) managed. The best way to defend against ransomware is readiness and timely response. The role of the cyber threat intelligence should inform what methods a modern ransomware would take and if your company has a credible defense investment. Enterprises must have a comprehensive network segmentation strategy in place to quarantine an outbreak to a localized facility or business unit. Additionally, organizations should employ advanced solutions that allow security teams to continuously test the effectiveness of their company’s security controls (do I have a credible defense), as well as exercise an incident response plan that can be emulated when a real threat occurs (could I respond and stop this in a timely matter?). Not adopting a more proactive approach to security means organizations are just upping their cyber insurance policies and suffering the business impact and reputation damage—but that’s also changing. Cyber insurers are getting wise and increasing premiums for organizations with immature security postures or are stipulating expectations of certain security capabilities be in place. If companies claim to have a defense, but it does not work, they may not be covered.  Read Less
June 10, 2020
Chris Clements
VP
Cerberus Sentinel
A well-known information security best practice is isolating any internet accessible servers into a DMZ network that has extremely limited access to any other networks in an organization to prevent widespread damage in the event a single system is compromised. Honda’s statement that an internal server was externally attacked could mean that they did not take this step to prevent an attacker propagating to other areas of the organization. Unfortunately, many applications that organizations.....Read More
A well-known information security best practice is isolating any internet accessible servers into a DMZ network that has extremely limited access to any other networks in an organization to prevent widespread damage in the event a single system is compromised. Honda’s statement that an internal server was externally attacked could mean that they did not take this step to prevent an attacker propagating to other areas of the organization. Unfortunately, many applications that organizations rely on are often not architected to support this level of segmentation, so it’s possible that Honda had few other options in exposing their internal network to the internet. This attack appears to be a ransomware attack associated with the SNAKE cybercrime group as samples of malware the check for an internal system name and public IP addresses related to Honda have surfaced publicly on the internet. The malware exits immediately if associations with Honda are not detected. This strongly implies that this was a targeted attack rather than a case of cybercriminals spraying out ransomware indiscriminately. More concerning is that the SNAKE ransomware team has historically attempted to exfiltrate sensitive information before encrypting their victim’s computers. This combined with the targeted nature of the malware’s “pre-checks” indicates that the attackers likely had access to Honda’s internal systems for some time before launching the ransomware’s encryption functions. Without confirmation from the SNAKE group or Honda, it is impossible to say how long the attackers were present or what sensitive data they may have been able to steal.  Read Less
June 10, 2020
Patrick Hamilton
Security Evangelist
Lucy Security
Japanese companies are renowned for tight control and shipshape order. Creators of the new Snake ransomware may have one-upped Honda. The ransom note is written in nearly perfect English, rare form for threat actors. The threat uses sophisticated marketing psychology—almost like reading a friendly message from Amazon. How did venomous malware infiltrate such a tightly controlled organization? Probably email—the path of least resistance anywhere. It seems like a stroll through the park and.....Read More
Japanese companies are renowned for tight control and shipshape order. Creators of the new Snake ransomware may have one-upped Honda. The ransom note is written in nearly perfect English, rare form for threat actors. The threat uses sophisticated marketing psychology—almost like reading a friendly message from Amazon. How did venomous malware infiltrate such a tightly controlled organization? Probably email—the path of least resistance anywhere. It seems like a stroll through the park and instantly turns into a treacherous swamp.  Read Less
June 10, 2020
Paul Bischoff
Privacy Advocate
Comparitech
Based on the limited information Honda has released about the attack, this looks like the result of ransomware. Given that many operations are shut down, but no data was stolen, ransomware is the most obvious culprit. Attackers might have tricked a Honda employee into clicking a link that downloaded a ransomware-infected file, for example. If Honda has proper backup systems in place, it should be able to mitigate the effect of the attack and resume operations with minimal downtime. Honda is a.....Read More
Based on the limited information Honda has released about the attack, this looks like the result of ransomware. Given that many operations are shut down, but no data was stolen, ransomware is the most obvious culprit. Attackers might have tricked a Honda employee into clicking a link that downloaded a ransomware-infected file, for example. If Honda has proper backup systems in place, it should be able to mitigate the effect of the attack and resume operations with minimal downtime. Honda is a huge company, though, so any downtime incurs large losses even if the company chooses not to pay the ransom.  Read Less

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.