Honda Hackers May Have Used Tools Favored by Countries

A computer virus hit the Japanese automaker Honda this week, disrupting its internal computer networks, forcing it to shut factories across the globe and leaving employees cut off from email or internal servers.

While Honda has declined to name the attackers or the tools they used, cybersecurity analysts said that the attack appears to have been carried out by software designed to attack the control systems for a wide variety of industrial facilities like factories and power plants. Such cyberweapons previously were only known to have been used by state agents.

In the hands of criminals, the tools could be used not just to steal data or disrupt business operations but to bring factories to a grinding halt or switch off power grids.

Previous assaults on Japanese corporations have been aimed at disrupting communications, or stealing or holding data hostage, according to Masahiro Shimomura, head of the Japan Network Security Association.

“This is a real advancement,” he said. “The ability to infect process controls, in other words, the production line, that means it’s quite advanced.”

In a statement, Honda said it canceled production at most North American plants on Monday, resumed production at some on Tuesday and had all back running by Thursday. The virus also halted work at Honda factories in Brazil, India and Turkey. The company said it had so far found no evidence of a loss of personally identifiable information.

Emails sent by Honda to American auto dealers said that the virus had affected the American Honda Finance Corporation, which was unable to “answer calls, fund contracts, provide payoff quotes or service customer accounts.” A system that automatically orders parts for dealers was also suspended, and dealers were unable to submit new warranty claims, the emails said.

On Friday, Misako Saka, a spokeswoman for Honda, said that the company had “almost entirely recovered.”

Production at the company’s factories “was temporarily paused to ensure safety,” she said, adding that the company reopened the last factory, located in Ohio, on Thursday morning.

The attack was identified Monday morning in Japan, when employees could not open their email or files, she said, adding that the virus had “penetrated an internal sever and then spread.”

The company ordered employees not to turn on corporate computers and temporarily shut factories to assess the extent of the damage.

The cybersecurity firm Malwarebytes and other analysts said that the tool used in the attack was most likely a relatively new variety of ransomware meant to disrupt industrial systems, in addition to the standard practice of encrypting files.

The most famous example of a virus that targets industrial controls is Stuxnet, which was jointly developed by Israel and the United States and used to destroy over 1,000 centrifuges used in Iran’s uranium enrichment program.

The attack on Honda, Malwarebytes wrote in a recent blog post, was probably carried out using a variation on a group of programs called Snake — also known as Ekans, or snake spelled backward — which was identified in December.

The company based its assessment on information posted to an online repository. Attempts to run the code in the company’s lab showed that it was specifically aimed at Honda’s internal networks, Malwarebytes wrote.

Although Honda has declined to specify how the virus entered its networks, speculation has centered around a possible breach related to remote working policies put in place after the beginning of the coronavirus pandemic.

A system that gives employees remote access to internal networks may have opened an opportunity for hackers to introduce the virus, Malwarebytes wrote.

Neal E. Boudette contributed reporting.

Go to Source