Honda Motor Company was forced to halt vehicle production this week after finding WannaCry ransomware in its plant computer network.
Its Sayama Plant in northwest Tokyo has a daily output of roughly 1,000 vehicles, ranging from Accord to Odyssey models, but was closed down on Monday after the ransomware was discovered on Sunday 18 June. While production has today continued, the data breach continues to prove the lasting effects of WannaCry.
A spokesperson told the virus had affected networks across Japan, North America, Europe, China and other regions, despite efforts to secure its systems in mid-May when the virus caused widespread. The WannaCry virus appeared to have found a weakness in the Sayama plants operational systems, which were running Microsoft’s Windows 10 operating system, using a backdoor to enter and usurp systems. Currently, it seems the Sayama plant is the only Honda production facility to be affected.
Security experts have warned after the May attack that other iterations of the worm could soon start affecting systems. Renault and Nissan have similarly been affected by WannaCry last month, causing a halt to production at plants in France, India, Britain and other countries.
Experts spoke to Lee Munson, security researcher for comparitech.com about the Honda cyberattack: "The fact that an organisation the size of Honda has been hit with a ransomware attack is not as surprising as some may think - along with phishing it is among the most common threats - but the fact it is WannaCry is surprising indeed.
"A month after the attack died out, especially after the original kill switch came to light, everyone thought it was dead and buried, so how did Honda become infected in the first place? "It sounds to me as though an external storage device may have been introduced to Honda's network which begs as many questions as to why the company had not immunised itself by deploying the latest operating system patches, all the way back to Windows XP."
"Whatever the answer," Munson continued, "this security breakdown will no doubt prove extremely costly to a manufacturer likely to be feeling highly embarrassed over this incident." Security officials in the UK have claimed the WannaCry ransomware has links to a hacking group that's associated with North Korea. According to a recent report, security officials believe that the Lazarus group launched the attack.
The group has strong links to North Korea, although it is not known who the leadership behind Lazarus is. It is not the first time the hacking organisation has been connected to the ransomware that significantly impacted the NHS. Symantec says it is "confident" the WannaCry ransomware is connected to the Lazarus cybercrime organisation, said to be responsible for the Sony Pictures hack and the theft of millions of dollar from the Bangladesh Central Bank, and has links to North Korea.
"Analysis of these early WannaCry attacks by Symantec’s Security Response Team revealed substantial commonalities in the tools, techniques, and infrastructure used by the attackers and those seen in previous Lazarus attacks, making it highly likely that Lazarus was behind the spread of WannaCry," the company said in a blog post. In particular, Symantec tied the ransomware to the hacking group through a number of similar pieces of code contained within it that were used by the group in the Sony Pictures hack and elsewhere. These include:
Previously, security experts scanned the email networks of those NHS trusts affected and found no evidence the Wanna Decryptor, or WannaCry ransomware, came from staff inadvertently clicking on a dodgy link in an email. The researchers from various security firms including Proofpoint, IBM, and Symantec said they found other phishing emails, not tied to WannaCry, but couldn't determine an email link to the widespread attack.
Proofpoint, which helped stop the spread of the virus, said it was "unlikely" the outbreak was caused by phishing, and Symantec's Candid Wüest believes it was spread through the Windows Server Message Block SMB protocol. This system is used to share files between computers typically on closed networks. If this system is opened to a public network, it can be exploited and once a worm successfully penetrates a network, it can then spread from computer to computer easily. Plus, it would only take one computer to go online for the worm to access the network.
Russia was linked to the attack, but Vladimir Putin denied his country's involvement, blaming the US for creating the hacking software that could exploit the flaw in Microsoft's system instead. "Malware created by intelligence agencies can backfire on its creators," said Putin, speaking at a conference in China before adding that leaders needed to discuss cybersecurity at a "serious political level".
The NHS computer hack is said to have “crept” across the UK earlier this month with reports of the ransomware attack hitting a range of organisations in as many as 99 countries. It then appeared to start slowing down after a security researcher said he "accidentally" hit the kill switch on the ransomware. Writing on the blog @malwaretechblog, Marcus Hutchins registered a domain name used by Wanna Decryptor, or WannaCrypt, and inadvertently killed it. The National
Cyber Security Centre (NCSC) repurposed the blog to spread the message. This was followed by a further statement from the NCSC on Sunday which warned that as a new working week begins it is likely, in the UK and elsewhere, that further cases of ransomware "may come to light, possibly at a significant scale."
Hackers use ransomware to infect a computer or system before holding files hostage until a ransom is paid. It can infect a computer via a trojan, virus or worm. Wanna Decryptor encrypts users files using AES and RSA encryption ciphers meaning the hackers can directly decrypt system files using a unique decryption key. Victims may be sent ransom notes with “instructions” in the form of !Please Read Me!.txt files, linking to ways of contacting the cybercriminals. Wanna Decryptor changes the computer's wallpaper with messages (as seen in tweets from affected NHS sites) asking the victim to download a decryptor from Dropbox. This decryptor demands hundreds in bitcoin to work.
Download SafeUM — communicate privately, without advertising and spam.