Cyber ​​Attacks on Honda New Ways to Aim at Internal Network Center

Cyber ​​attack on Honda New tactics aimed at internal network center June 15 18:43

When an expert analyzed a malicious program that could have been used in an attack on a car manufacturer Honda's cyber attack, a pinpoint target of Honda's internal network data was collected. It turned out to be a new type of cyber attack that would make it impossible to use all at once.

Due to a cyber attack from the outside, Honda's internal network broke down on the 8th of this month, temporarily affecting shipments and production at domestic and overseas factories.

Information security company Mitsui Bussan Secure Direction analyzed the malware that seems to be related to this attack.

As a result, it turned out that this malware was called "ransomware" that arbitrarily encrypts data and demands money to restore it, and it was a special one that only operated on computers on Honda's internal network. It was.

Unlike conventional ransomware, a new method of encrypting data at a stretch by blocking the communication with the outside by changing the security setting aiming at the central server that manages the internal network with a pinpoint is used. It was that.

It means that the threatening sentence requesting money was supposed to be displayed only on the central server.

Mr. Takashi Yoshikawa of Mitsui & Co.'s Secure Direction, who performed the analysis, said, "Normally, it is difficult to intrude because the security is as severe as that of the central server, but this time it seems that repeated reconnaissance was aimed at Honda. The need for vigilance in other organizations as well.

Honda "Refrains from revealing tricks"

Regarding this, Honda commented, "We are investigating the cause of cyber attacks, but we will refrain from releasing detailed attack methods from the viewpoint of security."

Great impact on Honda production etc.

This cyber-attack on Honda had a major impact, including temporary suspension of employees' PCs and suspension of production at nine overseas factories.

According to Honda, due to the effect of cyber attacks from the outside, from around 9 am on the 8th of this month, it became impossible to exchange emails via the in-house network, and the abnormality of the PC screen that seems to be infected with a virus went black. It has come out.

The company decided to restrict access to the company's network to investigate the cause, and contacted all business and private smartphones by email or automatic voice through the emergency communication network used in the event of a disaster. did.

As measures against the new corona virus, many employees were unable to use their PCs while working from home, so on September 9, we took an unusual approach to encourage employees to take paid leave.

Also, at domestic factories, the system that registers information when inspecting cars before shipping was affected, and shipment was temporarily suspended at some of the three plants that manufacture cars.

In addition, overseas factories also suspended production at nine plants to check system safety and restore system malfunctions, of which the main plant in Ohio, USA produced three days until the 10th of this month. Has stopped.

According to Honda's internal investigation, it seems that the virus was spread to the internal network due to the server being attacked from the outside, and a large-scale infection with the virus was confirmed on the personal computer of the employee who accessed the server at a specific time. Is being done.

On the other hand, so far, we have not confirmed any leakage of personal information or development information of employees or customers.

What is "malware"?

"Malware" is a coined word that combines "malicious" (which means "malicious") and "software" in English, and means that there are not only computer viruses but also various types such as spyware.

Difficult analysis

This malware was posted anonymously on a website that security officials participated on the same day this month when a cyber attack on Honda was revealed, and it is said that it is related to the attack on Honda. It is meant to contain suggested content.

Analysis is in progress all over the world, but it is difficult for security experts to analyze.

According to Takashi Yoshikawa of "Mitsui Bussan Secure Direction", this malware is created in a computer language that is difficult to analyze, it determines whether it is connected to Honda's internal network and it will not work on other computers. It was that there was.

It seems that the aim is to interfere with investigations from outside the company, and Mr. Yoshikawa succeeded in analysis by preparing a special environment that reproduces Honda's internal network.

This malware is a kind of ransomware called "SNAKE". When the data was encrypted without permission, the word "EKANS" was read from the reverse of "SNAKE" at the end of the file name. It means that the features such as addition are the same.

On the other hand, there are several modifications that seem to be specialized for attacking Honda, aiming to infiltrate the central server, change the security settings arbitrarily, and communicate so as not to be disturbed from the outside during the attack It means that it had a new function to cut off.

Also, with conventional ransomware, threatening sentences requesting money to restore data were displayed for each terminal, but this time, threatening sentences are displayed only on the central server that handles authentication information etc. It was like this.

The threatening sentence was written in English, such as "We applied military-grade encryption to documents, databases, photos, etc. You can decrypt the code by purchasing a key."

For this reason, it seems that the malware this time was designed on the assumption that it could invade the central server, Mr. Yoshikawa said, "I think that I might have made thorough preparations by invading the inside beforehand." I'm pointing out.

Evolving "ransomware" attacks

“Ransomware” is a type of malware used in cyber attacks, and “ransom” is the English word for ransom.

Requesting money in exchange for restoration by, for example, arbitrarily encrypting the data stored in the personal computer.

Usually, it is a method of invading the other party's computer through the attached file of the sent mail and displaying a message requesting money on the screen, and damage has started to stand out in Japan since 2015.

In 2017, ransomware called “Wanna Cry” was rampant all over the world, causing damage not only to Nissan Motor and Hitachi, but also to Honda and others.

Recently, it has been pointed out that the number of “scattering type” aimed at an unspecified large number has decreased due to the progress of security measures, and the number of “target type” that investigates the other party's system in advance and attacks with pinpoint It means that even Japanese companies may suffer large-scale damage in the future.

Cyber ​​risk increases with new Corona

Due to the increase in opportunities to access the workplace network from outside such as telework due to the influence of the new coronavirus, the threat to cyber attacks aimed at companies is increasing.

The ones that are often targeted are systems called "remote desktops" that are often used for teleworking and operate a personal computer from home, and cloud system servers that share files.

On the Internet, it has been confirmed that multiple login screens for accessing the system are open, and some of them are Japanese companies.

If such a screen is open to the public, it will be possible to enter IDs and passwords in a brute force manner, so if it is illegally accessed, it is possible to steal internal information or mount malware.

Takashi Yoshikawa, Mitsui Bussan Secure Direction, said, "I don't know what triggered the attack on Honda this time, but there are cases where server management is vulnerable to companies that have begun urgent teleworking due to the new coronavirus. It seems to be a thing, and measures need to be taken."