This post is the second in a series of blog posts written by Roy Seaman, our Percy Hobart Fellowship 2021 fellow from the Royal Marines. We’re calling the series “Posting Roy”
Honda is arguably one of the most respected and well-known mobility manufacturers in the motor industry. Established in 1948 and are still one of the leading innovators within the industry consistently at the top of the field across several product lines. Their success is driven by their ability to consistently embrace, develop and integrate the most advanced innovative technologies as a key pillar of their business model. As a bi-product of being so successfully innovative and technologically advanced, it has become a target of cybercriminal activity as they are not infallible.
The Attacks
In 2017, Honda’s Sayama plant near Tokyo was infected by the WannaCry ransomware; a Honda spokesman stated the infection was limited to several older production line computers resulting in its production facilities stopping for one day and 1000 units not being produced.
WannaCry ransomware in a simplified explanation encrypts files within the PC’s hard drive making user access impossible whilst demanding bitcoin in exchange for the decryption. The vulnerability WannaCry exploits lies in the Windows implementation of the Server Message Block (SMB) protocol. “The SMB protocol helps various nodes on a network communicate, and Microsoft's implementation could be tricked by specially crafted packets into executing arbitrary code. Frustratingly, the United States U.S. National Security Agency discovered this vulnerability and, rather than reporting it to the infosec community, developed code to exploit it, called Eternal Blue. This exploit was in turn stolen by a hacking group known as the Shadow Brokers, who released it obfuscated in a seemingly political Medium post on April 8, 2017. Microsoft itself had discovered the vulnerability a month prior and had released a patch, but many systems remained vulnerable, and WannaCry, which used Eternal Blue to infect computers, began spreading rapidly on May 12. In the wake of the outbreak, Microsoft slammed the U.S. government for not having shared its knowledge of the vulnerability sooner.” (Fruhlinger, 2021). The notion that a patch was available reiterates the practice of good cybersecurity basics of keeping operating systems updated and how it needs to be a part of standard working processes. It also reiterates the need for a collaborative approach to cyber crime such as the Cyber Information Sharing Partnership (CISP), and we should also shout out to the cyber security clusters being established around the world especially those connected with GlobalEPIC such as CyberWales and the Hague Security Delta (HSD).
2020 Honda was subjected to another attack this time by EKANS (SNAKE) ransomware. It is believed the ransomware was a follow on from a cyber oversight in 2019. Shodan listed an eleastic search database by Honda. Shodan is a search engine for internet-connected devices. The information available in the database consisted of 40 GB of inventoried internal machines. This included information such as machine hostname, MAC address, internal IP, operating system version, which patches had been applied, and the status of Honda’s endpoint security software. Fast forward to 2020, Honda had several remote desktop protocols (RDP) access publicly exposed. An insecure RDP configuration allows EKANS distribution through a number of methods such as spam and malicious attachments, but also can be delivered via botnets, exploit packs, malicious ads, web injections, fake updates, and repackaged and infected installers.
EKANS is specifically designed to attack industrial control systems (ICS) systems, specifically not just the individual machines but rather the entire ICS network. EKANS will remove the computer's Shadow Volume Copies and then kill numerous processes related to SCADA systems, virtual machines, industrial control systems, remote management tools, network management software, and so on. This affected Honda’s production, sales and development activities and operations around the entire world.
The cyber attacks experienced by Honda seem to be lapses in the basics, small lapses in cyber security good practice which allowed cyber criminals access. Seems the cliché that the foundations of cyber security are founded in the basics. Those basics will quickly make redundant any organisation's investments in any pricey sophisticated cyber security infrastructure!
Safe to say, if Honda were using Profile to understanding missing elements of their cyber security policies and procedures, or Dot to understand their OT asset landscape and their potential cyber vulnerabilities, then they might have averted these cyber attacks and any other potentially undiscovered threats.
References
Fruhlinger, J., 2021. What is WannaCry ransomware, how does it infect, and who was responsible?. [online] CSO Online. Available at: <https://www.csoonline.com/article/3227906/what-is-wannacry-ransomware-how-does-it-infect-and-who-was-responsible.html> [Accessed 17 March 2021].