Honda has been the victim of a cyberattack that some experts are attributing to the SNAKE ransomware crime group.
In a statement shared with BBC News on Tuesday, Honda confirmed that “a cyber-attack has taken place on the Honda network,” affecting its ability to access its own computer servers, use email, and otherwise use its own internal systems. The company also said that work at its plant in Swindon in the UK has stopped, while operations in North America, Turkey, Italy, and Japan have been suspended.
A follow-up statement shared with TechRepublic late Tuesday provided further details, specifically for operations in the United States.
“Honda has experienced a cyberattack that has affected production operations at some US plants,” the statement read. “However, there is no current evidence of loss of personally identifiable information. We have resumed production in most plants and are currently working toward the return to production of our auto and engine plants in Ohio.”
SEE: Security Awareness and Training policy (TechRepublic Premium)
A tweet posted by Honda on Monday and pinned to its page states that “at this time Honda Customer Service and Honda Financial Services are experiencing technical difficulties and are unavailable.” In response to the tweet, customers have been saying that they’re unable to phone the company via its Hondalink services, use the Hondalink app, sign into the Honda Financial Services website, or otherwise make changes to their accounts or service.
In its statement to the BBC, Honda added that “work is being undertaken to minimize the impact and to restore full functionality of production, sales, and development activities.”
Production had resumed at most of the affected plants by Tuesday, a Honda spokesperson told Reuters, but the main plant in Ohio, as well as those in Turkey, India, and Brazil remained suspended.
Honda has been mum about the exact nature of the attack. But several news reports and security experts believe it to be a ransomware attack, specifically one by the SNAKE ransomware, also known as EKANS. First spotted last December, SNAKE was created to use against Windows systems in industrial environments and specifically targets industrial control systems (ICS) to encrypt sensitive files.
“This attack appears to be a ransomware attack associated with the SNAKE cybercrime group as samples of the malware check for an internal system name and public IP addresses related to Honda have surfaced publicly on the internet,” Chris Clements, VP of Solution Architecture for Cerberus Sentinel, told TechRepublic. “The malware exits immediately if associations with Honda are not detected. This strongly implies that this was a targeted attack rather than a case of cybercriminals spraying out ransomware indiscriminately.”
SEE: Cybersecurity: Let’s get tactical (free PDF) (TechRepublic)
Further clues also point to a campaign that’s been lying in wait for the right moment to launch.
“More concerning is that the SNAKE ransomware team has historically attempted to exfiltrate sensitive information before encrypting their victim’s computers,” Clements added. “This, combined with the targeted nature of the malware’s ‘pre-checks,’ indicates that the attackers likely had access to Honda’s internal systems for some time before launching the ransomware’s encryption functions. Without confirmation from the SNAKE group or Honda, it is impossible to say how long the attackers were present or what sensitive data they may have been able to steal.”
The ransomware’s goal of affecting industrial control systems explains why Honda was targeted.
“EKANS [a variant of SNAKE ransomware] has been around since December 2019; it has Industrial Control System-specific functionality to not only perform the straightforward ransomware attack of encrypting information, but also to stop a number of processes necessary for industrial operations by including a ‘kill list,’ Michael Roytman, chief data scientist at client Kenna Security, told TechRepublic. “The processes affected can be found here. Ultimately this may cause a production lockdown for Honda and is not the first time the automaker has been targeted. This ICS specificity is somewhat new in the ransomware world, although variants of the SNAKE malware family have been around for some time, and mitigations exist on the detection side.”
SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)
If Honda is indeed a victim of ransomware, then the company seemingly failed to employ the necessary security measures to mitigate the attack ahead of time.
“The ransomware’s infection vector is a question of vulnerability management,” Roytman said. “Prioritizing and remediating the right vulnerabilities and using machine learning to predict possible exploitation before the attacks are happening is one way to stay ahead of attackers and ensure this kind of compromise is less likely.”
Still, Honda may have been caught on a tightrope between trying to provide the necessary access and trying to implement the right security.
“A well-known information security best practice is isolating any internet-accessible servers into a DMZ network that has extremely limited access to any other networks in an organization to prevent widespread damage in the event a single system is compromised,” Clements said. “Honda’s statement that an internal server was externally attacked could mean that they did not take this step to prevent an attacker propagating to other areas of the organization. Unfortunately, many applications that organizations rely on are often not architected to support this level of segmentation, so it’s possible that Honda had few other options in exposing their internal network to the internet.”