What Caused The Ransomware Attack On Toyota? Experts Insight

Toyota, the world’s largest carmaker has halted production at all of its plants in Japan after a ransomware attack on a key supplier. This marks another major enterprise casualty as hackers continue to see rising success with ransomware attacks.

Experts Comments

March 09, 2022
Mark Sangster
Principal Evangelist and VP Industry Security Strategies
eSentire

Supply-chain risk continues to threaten businesses. The attacks on SolarWinds Orion (2020), Kesaya (2021) and the plethora of exploitations of vulnerabilities in Microsoft, Citrix, Cisco, etc. demonstrate that criminals know how to exploit supply chain and IT infrastructure as a key strategy in their cybercrime campaigns.

More broad supply chain attacks use age old military tactics: attack the weakest point. Going after small(er) supply chain participants makes for a softer target and easier

.....Read More

Supply-chain risk continues to threaten businesses. The attacks on SolarWinds Orion (2020), Kesaya (2021) and the plethora of exploitations of vulnerabilities in Microsoft, Citrix, Cisco, etc. demonstrate that criminals know how to exploit supply chain and IT infrastructure as a key strategy in their cybercrime campaigns.

More broad supply chain attacks use age old military tactics: attack the weakest point. Going after small(er) supply chain participants makes for a softer target and easier access to the larger players upstream in the ecosystem, as we’ve most recently seen in the case of Toyota and one of their key suppliers, Kojima Industries, who was hit by a ransomware attack. Coupled with Covid-caused supply shortages and just-in-time methods, disabling a key part of a supply chain can be extremely costly for the major player or anchor in the chain (As a result, Toyota suspended operations of 28 lines at 14 plants in Japan.)

While attacks on IT infrastructure cause widespread effects, much like critical infrastructure, IT offers another advantage to criminals. Poisoning source code or using administrative tools to deliver malicious payloads reduces the risk of detection. Zero days are costly to develop. Targeting one company protects the criminal’s investment. And once the well is poisoned, criminals have access to the downstream customers and a large addressable market to target with their malware and likely ransomware attacks.

Companies that are prepared for such eventuality tend to fair better. For example, fundamental security controls like multifactor authentication, least privilege policies, keeping systems patched and updated, and segmentation of factory floor (operational) and IT systems greatly increase the chance of detecting suspicious activity before it becomes business disrupting. That said, it’s always wise to prepare by developing and testing an incident response plan and keeping an incident response firm on retainer in case of a devastating attack, reduce downtime, lost revenue and can lead to quicker and less costly recovery times.

  Read Less
March 07, 2022
Steve Tcherchian
CISO, XYPRO, Chief Product Officer
XYPRO

The Toyota breach highlighted that no company is off limits. At first, Toyota might seem like a highly secure environment that would not likely be a target but impacting operations to a global company like Toyota can have catastrophic impact to the supply chain. If Toyota cannot purchase, receive, deliver and service product, a large part of the economy would come to a halt. Most of the public information says this ransomware isn’t damaging and Toyota is still investigating the impact. All

.....Read More

The Toyota breach highlighted that no company is off limits. At first, Toyota might seem like a highly secure environment that would not likely be a target but impacting operations to a global company like Toyota can have catastrophic impact to the supply chain. If Toyota cannot purchase, receive, deliver and service product, a large part of the economy would come to a halt. Most of the public information says this ransomware isn’t damaging and Toyota is still investigating the impact. All Toyota is saying right now is no customer data was hacked.

 
Typically, in situations like this “No customer data hacked” will put the public at ease. Unfortunately, for a company that size with worldwide operations, that thread can be pulled to reveal a lot more.
It's unknown how long the perpetrators were embedded in Toyota’s network. The average time to detect a breach is currently at 200+ days. Assuming with that much time on the Toyota’s network and systems, a lot of damage could have been done in terms of compromising company and employee data. Given the tight privacy regulations in Japan, this could make for an interesting next few weeks. Watching this one very closely.

  Read Less
March 10, 2022
Chuck Lewis
Senior Cyber Security Specialist
Sentient Digital, Inc.

Ransomware attacks might seem more likely to happen to smaller companies not prepared for cyber attacks. However, when a ransomware attack on a key supplier recently interrupted Toyota’s operations, it reminds us that even the largest companies can fall victim to attacks like these, directly or indirectly. While many businesses may choose to pay off the ransom in this situation, it is important to bear in mind that often not all data is restored even when a ransom is paid. A better approach

.....Read More

Ransomware attacks might seem more likely to happen to smaller companies not prepared for cyber attacks. However, when a ransomware attack on a key supplier recently interrupted Toyota’s operations, it reminds us that even the largest companies can fall victim to attacks like these, directly or indirectly. While many businesses may choose to pay off the ransom in this situation, it is important to bear in mind that often not all data is restored even when a ransom is paid. A better approach is to focus on preventing ransomware attacks and minimizing their potential impact.


This attack, among many others, illustrates the importance of taking the necessary precautions, no matter how big or small the business. Training employees to recognize threats, regularly backing up data offline, and having a regularly updated cyber security plan in place are some of the steps that any business can take to lessen the risk of damage from a cyber attack.

  Read Less
March 10, 2022
Frances Zelazny
Co-Founder and CEO
Anonybit

The Toyota breach is yet another casualty amid a surge of ransomware attacks in the past year. Any type of cyberattack can be highly detrimental to an organization's success and can easily throw off production plans, as demonstrated by the shut down of 14 Toyota plants in Japan. This not only has an impact on the company, but the greater auto supply chain ecosystem as well which is already facing disruption.

It is important to consider how ransomware happens in the first place - either through

.....Read More

The Toyota breach is yet another casualty amid a surge of ransomware attacks in the past year. Any type of cyberattack can be highly detrimental to an organization's success and can easily throw off production plans, as demonstrated by the shut down of 14 Toyota plants in Japan. This not only has an impact on the company, but the greater auto supply chain ecosystem as well which is already facing disruption.

It is important to consider how ransomware happens in the first place - either through stolen credentials or via phishing. Both these mechanisms point to the need for improved authentication mechanisms that ensure that people are who they claim to be when they access corporate networks. Device authentication, passwords and tokens are simply not enough. Today’s security posture should be based on zero trust, and strong identity management is at the core of that. 

This attack is further evidence that no organization is safe and greater attention to increased privacy and security is imperative.

  Read Less
March 08, 2022
Bruce Dahlgren
Chief Executive Officer (CEO)
MetricStream

Toyota has reported that it was likely a victim of “some kind of a cyber-attack” as a result of at “supplier system failure.”  

It’s unfortunate that so many manufacturers have been repeatably hit with supply-chain issues from disruptions because of the pandemic, the Suez Canal fiasco, and now cyber-attacks. There’s no doubt that third-party risks can have significant impact on business performance.  

While just-in-time manufacturing with parts that arrive from suppliers going straight to

.....Read More

Toyota has reported that it was likely a victim of “some kind of a cyber-attack” as a result of at “supplier system failure.”  

It’s unfortunate that so many manufacturers have been repeatably hit with supply-chain issues from disruptions because of the pandemic, the Suez Canal fiasco, and now cyber-attacks. There’s no doubt that third-party risks can have significant impact on business performance.  

While just-in-time manufacturing with parts that arrive from suppliers going straight to production is industry leading, it can also leave an organization at greater risk with no stockpile to rely on.

  Read Less
March 04, 2022
Nick Tausek
Security Solutions Architect
Swimlane

This cyberattack on Toyota supplier Kojima Industries demonstrates just how easily the impacts of a cyberattack can spread beyond the initial target. In this case, Toyota has been forced to shut down the operations of 28 production lines across 14 plants in Japan, which will result in a projected 5% drop in Toyota’s monthly Japan production, the equivalent of roughly 13,000 units.

To prevent cyberattacks such as the one on Kojima Industries from further disrupting the supply chain and halting

.....Read More

This cyberattack on Toyota supplier Kojima Industries demonstrates just how easily the impacts of a cyberattack can spread beyond the initial target. In this case, Toyota has been forced to shut down the operations of 28 production lines across 14 plants in Japan, which will result in a projected 5% drop in Toyota’s monthly Japan production, the equivalent of roughly 13,000 units.

To prevent cyberattacks such as the one on Kojima Industries from further disrupting the supply chain and halting crucial production processes, enterprises must ensure cybersecurity practices remain top-of-mind. Leveraging low-code security automation is a proactive way for companies to secure IT systems and mitigate outside threats. Multi-faceted cybersecurity platforms that streamline and centralize detection, response and investigation protocols allow for comprehensive, top-notch protection without the chance of human error. With these systems in place, security-related tasks can be carried out in a reliable and organized manner, ultimately keeping crucial businesses and their correlating establishments up and running without disruption.

  Read Less
March 02, 2022
Tim Wallen
Regional Director
LogPoint UK&I

The reports of Toyota, the world’s largest car manufacturer, having to shut down 14 factories and 28 production lines for an entire day due to a cyberattack serves as a warning in these volatile times. While the manufacture of cars is not necessarily critical to societies, it’s a warning of how cyberattacks can influence ‘in real life’, not limited to leaks of digital information or systems being held for Ransome. When production lines are halted, and workers have to stay at home, we

.....Read More

The reports of Toyota, the world’s largest car manufacturer, having to shut down 14 factories and 28 production lines for an entire day due to a cyberattack serves as a warning in these volatile times. While the manufacture of cars is not necessarily critical to societies, it’s a warning of how cyberattacks can influence ‘in real life’, not limited to leaks of digital information or systems being held for Ransome. When production lines are halted, and workers have to stay at home, we have to carefully consider whether we have done enough to protect our digital infrastructures. With some 180,000 people employed directly in automotive manufacturing in the UK and in excess of 864,000 across the wider automotive industry, this is a crucial industry to protect.

 
The attack on Toyota also serves as a reminder that global industries are entirely dependent on a very long and potentially vulnerable supply chain to deliver components just-in-time. It is not enough for Toyota to have high cyber security standards; manufacturers also have to ensure that their supply base adheres to the same standards to secure the chain. The Emotet malware string suspected to be the cause of the Toyota breakdown, possibly through a sub-supplier, is a tricky piece of malware. But it has been around for years, and its signature is well-known to cybersecurity teams. While it’s constantly evolving, it can be detected and fought off using the right SIEM and SOAR tools.
 

Production lines everywhere, particularly in the automotive industry, are increasingly connected through IoT devices to ERP systems like SAP, often left out of the cybersecurity infrastructure. A gap in systems and teams separates them, you may say. These business-critical applications must not be forgotten and should be included in the overall cybersecurity infrastructure. In the UK, the automotive industry has an annual revenue of almost £80 billion and a £15 billion value to the UK economy. Any industry leader should take a good look at the connection between production lines, IoT devices, and ERP systems, and make sure security is not caught in the gap.

  Read Less
March 01, 2022
Danielle Jablanski
OT Security Strategist
Nozomi Networks

This incident highlights a single point of failure for business interruption resulting in a loss of production. It is also an example of a major cyber risk for ‘Just-In-Time’ manufacturing. Toyota has thwarted direct attacks in the past, but the difficulty in securing entire supply chains from multiple vendors is a wider and more daunting task. 

Supply chain attacks are on the mind of governments, think tanks, and standards bodies looking for ways to address things like open-source software

.....Read More

This incident highlights a single point of failure for business interruption resulting in a loss of production. It is also an example of a major cyber risk for ‘Just-In-Time’ manufacturing. Toyota has thwarted direct attacks in the past, but the difficulty in securing entire supply chains from multiple vendors is a wider and more daunting task. 

Supply chain attacks are on the mind of governments, think tanks, and standards bodies looking for ways to address things like open-source software after the Solarwinds attack, and device vulnerabilities throughout the manufacturing industry. 

At the same time, we see the number of suppliers for some critical hardware components across manufacturing continue to decrease. There is no easy fix to this complexity, and we will likely continue to see similar incidents.

  Read Less
March 01, 2022
Shane Curran
CEO
Evervault

Toyota's reaction to a cyberattack on its supplier shows that no matter how secure a company is, it’s still possible for determined hackers to break into a supply chain partner, three or four levels removed from your own organisation. That's why you need to be securing your data, not just your network.

Companies should seriously consider how strong their encryption is and whether they’re inadvertently storing information in a way that makes it easy for hackers to access sensitive information,

.....Read More

Toyota's reaction to a cyberattack on its supplier shows that no matter how secure a company is, it’s still possible for determined hackers to break into a supply chain partner, three or four levels removed from your own organisation. That's why you need to be securing your data, not just your network.

Companies should seriously consider how strong their encryption is and whether they’re inadvertently storing information in a way that makes it easy for hackers to access sensitive information, not just about themselves but their partners and customers

  Read Less
March 01, 2022
Jamie Moles
Senior Technical Manager
ExtraHop

Even the largest organisations like Toyota can and are falling victim to cyberattacks - but what does this mean for businesses with smaller security budgets?

Having complete transparency in the supply chain will allow for immediate detection and isolation of the infected area. The attack on Toyota’s parts supplier Kojima, and Toyota’s reliance on a ‘Just-in-time’ supply chain for its parts,  forced 28 lines at 14 different plants to be suspended, detrimentally affecting the whole

.....Read More

Even the largest organisations like Toyota can and are falling victim to cyberattacks - but what does this mean for businesses with smaller security budgets?

Having complete transparency in the supply chain will allow for immediate detection and isolation of the infected area. The attack on Toyota’s parts supplier Kojima, and Toyota’s reliance on a ‘Just-in-time’ supply chain for its parts,  forced 28 lines at 14 different plants to be suspended, detrimentally affecting the whole supply chain system. Having a quick response will allow identification of where the threat actor entered so developers can mitigate risk and, if possible, patch vulnerable code.

Realistically it’s not possible to stop every single attack. Preventing criminals from entering the network is still important but IT security needs a plan for when an attack or intrusion does happen to catch determined threats as quickly as possible before too much damage is done. 

  Read Less
March 15, 2022
Garret F. Grajek
CEO
YouAttest

Supplier attacks are real - and effect not just the supplier but the full chain of customers. Attackers and ransomware agents know this and extort accordingly. The attack on the Japanese supplier Denso follows a halt to Toyota production in February for a separate ransomware attack. Attackers are constantly scanning all our systems - both critical infrastructure, manufacturers and governments - especially the ransomware attackers. They see money in these vulnerable systems. Patching usually can

.....Read More

Supplier attacks are real - and effect not just the supplier but the full chain of customers. Attackers and ransomware agents know this and extort accordingly. The attack on the Japanese supplier Denso follows a halt to Toyota production in February for a separate ransomware attack. Attackers are constantly scanning all our systems - both critical infrastructure, manufacturers and governments - especially the ransomware attackers. They see money in these vulnerable systems. Patching usually can not address the vulnerabilities fast enough - thus the mitigation falls to new methodologies like zero trust and real time identity governance to identify anomalous and suspicious identity behaviors.

  Read Less
March 15, 2022
Tom Garrubba
Senior Director and CISO
Shared Assessments

As this is the second of Toyota’s suppliers to be targeted by threat actors, perhaps it’s time for Toyota to reevaluate its once lauded strategy and RESCUE (REinforce Supply Chain Under Emergency) supply chain database system – which identifies parts and vulnerability information of over 650,000 supplier sites – to perhaps consider evaluating third party risk due diligence with respect to strong cyber hygiene.

For years, many manufactures have focused on the availability of those products and

.....Read More

As this is the second of Toyota’s suppliers to be targeted by threat actors, perhaps it’s time for Toyota to reevaluate its once lauded strategy and RESCUE (REinforce Supply Chain Under Emergency) supply chain database system – which identifies parts and vulnerability information of over 650,000 supplier sites – to perhaps consider evaluating third party risk due diligence with respect to strong cyber hygiene.

For years, many manufactures have focused on the availability of those products and services that feed into the outsourcer’s own end-product, however, the outsourcer often fails to assess key resilience controls such as security and recoverability of critical systems and processes that allow the product or service to be provided by the supplier. Failure to do so can bring about disruptions with often disastrous results to financial and reputational loss for both outsourcer and supplier.

  Read Less
March 02, 2022
Jake Moore
Cybersecurity Specialist
ESET

As cybercriminals become more competent and brazen, larger firms are increasingly targeted and compromised with no sign of slowing down. This particular attack highlights once again the magnitude and power such attackers have on being able to bring a company of this size to a standstill with relatively little effort. Supply chain attacks remain a thorn in the side of many businesses and more remains to be seen in clearing up such widespread disruption.

March 01, 2022
Jamie Akhtar
CEO and Co-founder
CyberSmart

It's unwise to speculate on the origins of this attack at the moment. But regardless of who is behind it, heavily automated manufacturers like Toyota are enticing targets for any cybercriminal - state actor or otherwise. 

They offer the opportunity to cause widespread supply-chain chaos and the potential for large ransoms. Even without the current developments in Ukraine, we're seeing more and more of these kinds of attacks on manufacturers.

March 01, 2022
Hank Schless
Senior Manager, Security Solutions
Lookout

Both the software supply chain and the physical supply chain have frequently made headlines in the last couple of years. 

  • This incident exemplifies how intertwined the two are, and how a successful attack on the software supply chain can have negative effects on the output of physical goods produced. 
  • If an attacker wants to disrupt operations of a particular organisation, targeting resources higher up the supply chain can have rippling effects. 

Without much detail around the attack, it’s

.....Read More

Both the software supply chain and the physical supply chain have frequently made headlines in the last couple of years. 

  • This incident exemplifies how intertwined the two are, and how a successful attack on the software supply chain can have negative effects on the output of physical goods produced. 
  • If an attacker wants to disrupt operations of a particular organisation, targeting resources higher up the supply chain can have rippling effects. 

Without much detail around the attack, it’s difficult to pinpoint what could have been done to help prevent it. 

  • An organisation like Toyota has a massive infrastructure with countless access points, which means attackers have a handful of avenues they can exploit to gain unauthorised access to apps and data. 
  • Everything is so interconnected, especially when it comes to cloud apps, that successful entry into a seemingly tangential resource could actually give an attacker a backstage pass to more valuable parts of the infrastructure. 
  • It’s critical to know how every user and device interacts with data stored in cloud-based, on-premises, and private apps. 
    • Understanding anomalous behaviour across these resources will help organisations proactively identify and mitigate the risk of unauthorised access that could lead to advanced attacks like ransomware or data exfiltration.

  Read Less
March 01, 2022
Chris Hauk
Consumer Privacy Champion
Pixel Privacy

We can expect to see an increase of cyber attacks in the near future, as more countries and companies join in condemning and sanctioning Russia, following the country's invasion of Ukraine. Cyber warfare will become commonplace, as it allows countries and organisations to lash out without the need for traditional warfare. Corporate and government IT departments need to stay aware of possible attacks, while keeping their employees and customers informed about any such attacks and how best to

.....Read More

We can expect to see an increase of cyber attacks in the near future, as more countries and companies join in condemning and sanctioning Russia, following the country's invasion of Ukraine. Cyber warfare will become commonplace, as it allows countries and organisations to lash out without the need for traditional warfare. Corporate and government IT departments need to stay aware of possible attacks, while keeping their employees and customers informed about any such attacks and how best to avoid them.

  Read Less
March 01, 2022
Sam Curry
Chief Security Officer
Cybereason

Hackers long ago realised the value in attacking the supply chain, and SolarWinds and Kaseya were wake up calls for many organisations to improve security hygiene and resiliency in the face of an onslaught of attacks. Overall, the supply chain has become the path of least resistance.

Recent global supply chain attacks have been part of cyber espionage campaigns from nation-state adversaries. We will continue to see an increase in cybercriminals adopting the strategy. Companies that act as

.....Read More

Hackers long ago realised the value in attacking the supply chain, and SolarWinds and Kaseya were wake up calls for many organisations to improve security hygiene and resiliency in the face of an onslaught of attacks. Overall, the supply chain has become the path of least resistance.

Recent global supply chain attacks have been part of cyber espionage campaigns from nation-state adversaries. We will continue to see an increase in cybercriminals adopting the strategy. Companies that act as suppliers or providers need to be more vigilant, and all organisations need to be aware of the potential risk posed from the companies they trust.

For suppliers, please get good at risk dialogues with the business. Prepare in peacetime, limit the blast radius for if and when an attack strikes home, deploy anti-ransomware tools, get strong detection and response capability, ensure that patch management is a priority across the organisation, use behavioural tools to monitor the entire environment, get good at incident response, and practice and drill together in IT and in the business, not just in the purely cyber world.

  Read Less
March 01, 2022
Willy Leichter
CMO
LogicHub

While it's too soon to know for certain about the origin of the Toyota attack, there is every reason to be extremely vigilant and expect Russian-sponsored attacks. 

Here's what we do know: Russian hacker groups have been responsible for a wide range of attacks globally, and have been attacking Ukrainian infrastructure for years. They've also used advanced attacks globally, such as NotPetya, and SolarWinds to plant untold numbers of backdoors in government and business networks. 

We have to

.....Read More

While it's too soon to know for certain about the origin of the Toyota attack, there is every reason to be extremely vigilant and expect Russian-sponsored attacks. 

Here's what we do know: Russian hacker groups have been responsible for a wide range of attacks globally, and have been attacking Ukrainian infrastructure for years. They've also used advanced attacks globally, such as NotPetya, and SolarWinds to plant untold numbers of backdoors in government and business networks. 

We have to assume that a large number of these backdoors have not yet been discovered and are waiting to be exploited. We should also assume the precursors to the next attack are already inside our networks and defend accordingly. 

This is the real test of zero-trust security - can we detect illicit activity across networks, cloud apps, databases, and third-party API links that have already bypassed traditional perimeter defenses?

  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.