Disruptive cyber attack hits Honda

Honda manufacturing plants in the United States, United Kingdom, Japan and Turkey went offline following a disruptive cyber attack. The cyber attack impacted computer server access, email use and other internal systems at the Japanese automaker’s facilities.

“Honda can confirm that a cyber-attack has taken place on the Honda network,” the company said in a statement. “There is also an impact on production systems outside of Japan. Work is being undertaken to minimise the impact and to restore full functionality of production, sales and development activities.”

In addition to manufacturing, the cyber attack also impacted other operations within the company.

“At this time Honda Customer Service and Honda Financial Services are experiencing technical difficulties and are unavailable. We are working to resolve the issue as quickly as possible. We apologize for the inconvenience and thank you for your patience and understanding.”

According to Honda, there is currently no evidence to suggest the disruptive cyber attack resulted in the loss of personally identifiable information.

“Sometimes it takes a cyber-attack like the Honda ransomware attack to realize that companies do not have the proper experience, training or preparation to prevent or minimize damage,” says Debbie Gordon, CEO of Cloud Range Cyber. “While no information was breached at this point in time, it highlights the importance of training to thwart breaches. With plenty of data and sensitive information in their databases, every minute matters to detect and remediate breaches and speed is the difference between a minimal breach or one that will devastate a company and its users forever.”

According to a report by Malwarebytes Labs, the disruptive cyber attack on Honda could be linked to the EKANS/SNAKE ransomware family. The ransomware has also been linked to another cyber attack targeting energy company ENEL earlier this week.

“On June 8, a researcher shared samples of ransomware that supposedly was aimed at Honda and ENEL INT. When we started looking at the code, we found several artefacts that corroborate this possibility,” Malwarebytes’ threat intelligence team wrote in a post. “We tested the ransomware samples publicly available in our lab by creating a fake internal server that would respond to the DNS query made by the malware code with the same IP address it expected. We then ran the sample alleged to be tied to Honda against Malwarebytes Nebula, our cloud-based endpoint protection for businesses.”

The Malwarebytes team found mentions of a network named “mds.honda.com.”  The detected payload was named “Ransom.Ekans.”

“Ransomware gangs have shown no mercy, even in this period of dealing with a pandemic,” Malwarebytes wrote. “They continue to target big companies in order to extort large sums of money.”

The EKANS ransomware was first discovered by cybersecurity company Dragos earlier this year. Dragos initially learned of the new ransomware on January 6. While some have linked the ransomware to Iran, Dragos did not find evidence of any such link.

“While investigating EKANS, Dragos observed a list of processes associated with industrial control system operations (ICS),” Dragos wrote in a report. “The malware was designed to terminate the named processes on victim machines. This is notable for EKANS because while ransomware has previously victimized ICS environments, prior events all feature IT-focused ransomware that spreads into control system environments by way of enterprise mechanisms. [4] Otherwise, ICS-specific ransomware has mostly included either academic proof of concepts or marketing stunts representing the corpus of activity.”

Rebecca Addison

Industrial Cyber Editor. Rebecca Addison is a former newspaper editor with a decade of experience in the media industry. During her career, she has interviewed world leaders and corporate CEOs, and covered topics ranging from blockchain and CBD to healthcare and education.