Parts of Honda’s global operations came to a halt after what appears to be a Snake ransomware attack, the company’s third cyber incident in 12 months.
“At this time Honda Customer Service and Honda Financial Services are experiencing technical difficulties and are unavailable,” the company tweeted Monday, confirming later to the BBC “that a cyberattack has taken place on the Honda network" rendering the company unable to access its servers and email among other systems and noting “an impact on production systems outside of Japan.”
The company also said that “work is being undertaken to minimize the impact and to restore full functionality of production, sales and development activities."
“The suspected culprit is the Ekans, or Snake, ransomware, which had been widely reported as actively targeting industrial control systems, such as those used by Honda, as far back as February of this year,” Balbix CTO Vinay Sridhara said.
Snake was fingered after “samples of malware that check for an internal system name and public IP addresses related to Honda…surfaced publicly on the internet,” said Cerberus Sentinel Vice President of Solution Architecture Chris Clements.
“The malware exits immediately if associations with Honda are not detected” which “strongly implies that this was a targeted attack rather than a case of cybercriminals spraying out ransomware indiscriminately,” Clements said. “More concerning is that the SNAKE ransomware team has historically attempted to exfiltrate sensitive information before encrypting their victim’s computers,” which along “with the targeted nature of the malware’s ‘pre-checks’ indicates that the attackers likely had access to Honda’s internal systems for some time before launching the ransomware’s encryption functions.”
Snake may have outwitted Honda. “The ransom note is written in nearly perfect English, rare form for threat actors,” said Patrick Hamilton, cybersecurity evangelist at Lucy Security. “The threat uses sophisticated marketing psychology -- almost like reading a friendly message from Amazon.”
Hamilton believes the “venomous malware” likely infiltrated the “tightly controlled organization” through “email -- the path of least resistance anywhere. It seems like a stroll through the park and instantly turns into a treacherous swamp.”