Japanese auto suppliers targeted as Denso comes under Pandora ransomware attack and Bridgestone is compromised by LockBit
The second largest automotive supplier in the world, Denso Corporation, has announced that it has been the victim of a ransomware attack.
The company said hackers gained access to its subsidiary’s network in Germany on March 10, 2022. The affected company, Denso Automotive Deutschland GmbH, handles engineering and sales in the country.
In a statement released on March 14, the Toyota supplier apologized to its customers for the inconvenience caused after disconnecting illegally accessed devices to minimize the impact.
The group company added that it had hired cybercrime experts to analyze the security incident.
Denso is a Fortune 500 company supplying automotive components for Toyota, Ford, Honda, Mercedes-Benz, Volvo, Fiat and General Motors. With more than 200 subsidiaries worldwide and 168,391 employees, the company achieved sales of $44.6 billion in 2021.
Denso confirms ransomware attack against German subsidiary
The automotive supplier confirmed the ransomware attack, adding that the incident would not interrupt its operations and that all facilities would remain operational.
According to a statement posted online, Denso responded quickly by shutting down computers after detecting unauthorized third-party access to its network.
“After detecting the unauthorized access, DENSO promptly terminated the network connection of devices that received unauthorized access and confirmed that there was no impact to other DENSO facilities.”
Additionally, the automotive supplier has engaged external security advisors to investigate and understand the incident.
Denso had also reported the ransomware attack to local investigative authorities and promised to strengthen its cyber defenses to prevent another incident.
It is not known how the hackers gained access to the company’s network. However, a security researcher complaints of notifying the auto supplier that alleged stolen credentials were being auctioned off on the dark web.
The ransomware attack is the second to hit the company, according to the Asahi Shimbun news agency. In December 2021, Denso suffered a Rook ransomware attack in Mexico, leaking 1.1 terabytes of data.
Pandora leaks stolen data to Japanese automotive supplier Denso
A new Pandora ransomware gang has taken responsibility for the Denso ransomware attack, according to the Dark Tracer web monitoring group.
Additionally, Pandora threatened to release the auto supplier’s trade secrets and transaction information, including invoices, purchase orders, auto parts technical drawings and emails on its data leak site. The ransomware group claims to have stolen 1.4TB of data from the auto supplier during the ransomware attack last week.
Darktracer suggests that Denso has compromised other organizations in Japan. According to DarkFeed, other potential victims in Japan include Global Wafers.
Although relatively new, cybersecurity experts believe that Pandora is the rebranding of the Rook ransomware gang. Google’s virus detection platform, VirusTotal, detects Pandora as Rook, a derivative of Babuk ransomware, based on leaked source code.
The group adds a ‘.pandora’ extension to encrypted files after a successful ransomware attack. Additionally, it leaves a ‘Restore_My_Files.txt’ file on each encrypted directory. The text file contains an email and instructions to recover encrypted files.
Is the Japanese auto industry under attack?
The Denso ransomware attack came on the heels of another compromise on Japanese automotive supplier Bridgestone.
Bridgestone said unauthorized third-party access affected its computers in the Americas on February 27, prompting it to shut down the computer network and production at its factories in North and Central America.
“As a precaution, we have disconnected many of our manufacturing and retreading facilities in Latin America and North America from our network to contain and prevent any potential impact,” Bridgestone told media.
Subsequently, the LockBit 2.0 ransomware group took responsibility for the ransomware attack. LockBit is known to demand huge ransoms. The group reportedly demanded a $10 million ransom after the Accenture security incident.
Similarly, Japanese automotive component supplier Kojima Industries was hit by a ransomware attack in February. The incident forced production to suspend for a day at Toyota’s 14 plants, cutting the automaker’s production by 5% or 13,000 units.
The Japanese auto industry, particularly Toyota Motor Corp., appears to be the target of recent ransomware attacks targeting third-party vendors in an already strained supply chain.
Tom Garrubba, vice president of Shared Assessments, believes manufacturers should re-evaluate their security controls in the age of third-party supply chain attacks.
“As this is the second Toyota supplier to be targeted by threat actors, it may be time for Toyota to reassess its once-acclaimed strategy and RESCUE supply chain database system ( REinforce Supply Chain Under Emergency) – which identifies parts and vulnerability information from over 650,000 supplier sites – to perhaps consider assessing third-party risk due diligence with respect to strong cyber hygiene” , said Garrubba.
Japan’s national police agency reported 12,275 cybersecurity incidents in 2021, mostly targeting the country’s manufacturing industry.
Chris Clements, vice president of solutions architecture at Cerberus Sentinel, said it’s not enough for organizations to focus on their own cybersecurity without considering interconnected businesses.
“This attack underscores the importance of all business units in an organization being equally prepared to fend off a cyberattack,” Clements said. “Cybercriminals will always exploit the weakest link, and in today’s interconnected networks, they can cause significant damage by compromising even a small business unit.”