Toyota supplier Denso, Bridgestone Americas targeted in ransomware attacks

Ransomware attackers have breached networks at the German business unit of Toyota supplier Denso, though production and business activities were not affected. There have also been reports of the LockBit ransomware gang having targeted tire manufacturer Bridgestone Americas. These attackers have access to ‘information from a limited number of Bridgestone systems,’ and threaten to leak all data stolen from the company if the ransom amount is not paid.

The Denso attack is the second confirmed cyber incident against a Toyota supplier in the last fortnight. In the latest attack, operations were targeted by hackers following unauthorized access using ransomware at Denso Automotive Deutschland GmbH, marking the latest in a series of cyber attacks and potential disruptions for the giant carmaker.

A Denso spokesperson told news agency Reuters that it detected unauthorized access using ransomware at Denso Automotive Deutschland on Thursday local time. The group handles sales and engineering in Germany.

The alleged cybercrime group Pandora released a statement on Sunday saying it had stolen classified information from Denso and will release it on the dark web. The group also said it had more than 157,000 purchase orders, emails, and sketches, or 1.4 terabytes worth of data, said Japan’s public broadcaster NHK, quoting Mitsui Bussan Secure Directions, an information security firm.

The Denso spokesperson declined to confirm the NHK report but said production and business activities had not been affected at this point.

Denso is a large automotive supplier of technology and components found across most vehicles around the globe, including Toyota, Honda, FCA, General Motors, Ford, and Volvo Mercedes-Benz. It has over 24,000 associates in North America, working towards innovating and advancing the future of connected cars, automated drive, shared mobility, and electrification.

Japanese automaker Toyota recently discontinued operations at its domestic plants for a day, following ‘system failure’ at one of its domestic suppliers brought about by a suspected cyberattack. At present, there are no known reports of disruption to Toyota operations and production units. However, given the nature of supply chain attacks, it cannot be ruled out that Toyota is not being targeted.

Toyota has “maintained woeful basic security for over 18 months as our evidence shows,” Andrew Jenkinson, group chief executive officer at Cybersec Innovation Partners, recently said. “The Third-Party supplier may have suffered an attack as a consequence of Toyota’s own security incompetence and basic security negligence,” he added.

The Bridgestone cyber attack came to light in late February and has affected around 50 production facilities and 55,000 employees. “Out of an abundance of caution, we disconnected many of our manufacturing and retreading facilities in Latin America and North America from our network to contain and prevent any potential impact,” Bridgestone said in a media statement at the time.

“We have determined this incident to be the result of a ransomware attack. We have no evidence this was a targeted attack,” Bridgestone said in a statement released on Friday. “Unfortunately, ransomware attacks similar to this one are increasing in sophistication and affecting thousands of organizations of all sizes. As part of our investigation, we have learned that the threat actor has followed a pattern of behavior common to attacks of this type by removing information from a limited number of Bridgestone systems and threatening to make this information public,” it added.

Industrial cybersecurity vendor Nozomi Networks said last month in its semi-annual OT/IoT Security Report covering the second half of 2021 that cybercrime continued to increase in the last six months of the year, as threats from ransomware groups and supply chain attacks dominated the headlines with the most impact and operational disruption. The report also identified that ransomware groups and attacks continued to make headlines and cause operational disruption and supply chain attacks providing an opportunity to spread damage quickly.

The Federal Bureau of Investigation (FBI) had warned last month that LockBit 2.0 operates as an affiliate-based Ransomware-as-a-Service (RaaS) and employs a wide variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation. LockBit 2.0 ransomware compromises victim networks through a variety of techniques, including, but not limited to, purchased access, unpatched vulnerabilities, insider access, and zero-day exploits.

The federal agency also said that after compromising a victim network, LockBit 2.0 actors use publicly available tools such as Mimikatz to escalate privileges. “The threat actors then use both publicly available and custom tools to exfiltrate data followed by encryption using the Lockbit malware. The actors always leave a ransom note in each affected directory within victim systems, which provides instructions on how to obtain the decryption software. The ransom note also threatens to leak exfiltrated victim data on the LockBit 2.0 leak site and demands a ransom to avoid these actions,” it added.