Toyota Parts Supplier Denso Confirms Ransomware AttackInvestigations Ongoing, But Operations Reportedly Not Affected
Automotive technology and parts supplier Denso has confirmed to ISMG that it fell victim to a ransomware attack last week. Investigations are ongoing. The company has not disclosed details of the ransom demanded or the operator behind the attack, but the independent dark web monitoring platform DarkTracer says the attack is the work of the Pandora ransomware group.
A spokesperson for Denso tells ISMG that a "group company in Germany’s network was illegally accessed by a third party on March 10, 2022, and yes, it was a ransomware attack." Denso, a supplier to and formerly part of the Japanese Toyota Group auto manufacturer, says it has informed all respective law enforcement departments and a specialized cybersecurity agency to further investigate the incident.
A company statement says, "After detecting the unauthorized access, Denso promptly cut off the network connection of devices that received unauthorized access and confirmed that there is no impact on other DENSO facilities."
A Denso spokesperson told ISMG, "There is no interruption to production activities and we keep operating all our plants as usual. We [could] do this because we transferred the operation which is impacted by this incident to other Denso sites. We are investigating which data was impacted by this incident. We cannot say any further details about it."
DarkTracer Claims Pandora Group Is Responsible
Although the Denso spokesperson declined to disclose details about the ransomware operators, an independent deep and dark web online monitoring platform called DarkTracer tweeted that the Pandora ransomware group has claimed responsibility for the attack and is set to release the data publicly on Wednesday if its demands are not met.
[ALERT] Pandora gang has announced "DENSO" on the victim list. pic.twitter.com/kh9wzGV1io— DarkTracer : DarkWeb Criminal Intelligence (@darktracer_int) March 13, 2022
The Pandora group claims to have 1.4TB of data, consisting of more than 157,000 pieces of information, including purchase orders and technical drawings. In response to these claims, the Denso spokesperson clarified that the company cannot disclose the name of the third party and/or comment on their demand topics because of the impact it could have on the investigation.
DarkTracer has also shared an indicator of compromise of the Pandora ransomware group that it says has not just attacked Denso, but also many other major Japanese companies.
This is a IoC of Pandora ransomware, which attacked major Japanese companies.— DarkTracer : DarkWeb Criminal Intelligence (@darktracer_int) March 14, 2022
DarkTracer did not immediately respond to ISMG's request to identify the other targeted organizations in Japan, but a live ransomware monitoring service provider platform DarkFeed, has listed Japan's known silicon wafer manufacturer Global Wafers Japan in its list of those targeted by the Pandora group on Saturday.
Global Wafers Japan has not yet responded to ISMG's request for a comment regarding these claims.
Not the First Time
According to an earlier report from local Japanese news agency The Asahi Shimbun, Denso's Mexico unit was the target of a ransomware attack by a group called Rook in December 2021. Rook claimed to have stolen 1.1TB of data from Denso, including the personally identifiable information of Denso's Mexican plant workers.
The news agency cited a source from Denso saying that around 20 computers used in the Mexico plant that were connected to an old network were breached. But all important data required for continuity of business operations at that plant had already been transferred to a new computer network, which helped Denso resume its Mexican plant operations by Jan. 3, 2022.
No information on the payment of a ransom was recorded from Denso at that time, but a posting on Rook's site disappeared on Jan. 4 - a day after the operations resumed in Mexico, the news agency says.
Toyota's Suppliers Under the Radar
Toyota Motor Corp., one of the largest automobile manufacturers in Japan, has long been on the radar of ransomware operators, but primarily via its third-party supply chain providers. On Feb. 28, another third-party supplier and a manufacturing partner of Toyota - Kojima Industries Corp., - suffered a cyberattack that forced Toyota to suspend its operations at all of its 28 manufacturing lines in Japan on March 1, 2022 (see: Update: Toyota to Resume Ops After Cyberattack Scare).
The suspension of services from Toyota and its subsidiaries affected the manufacturing of around 10,000 cars, which is 5% of Toyota's monthly output in Japan.