ICS Attacks in Japan

ICS Attacks in Japan

Japan is well known internationally as a peaceful, well organized society where citizens obey the law and are compliant with rules across different governmental institutions. Spite of some internal problems like ageing society, sinking birthrate and now the economic consequences of the ongoing Covid-19 pandemic, Japan has done a great job into keeping its society under very traditional structures. Examples of how Japan is keeping parts of their society traditional is the banking system which continue using passbooks in order to allow the users to have records of their transactions, the existence of paper based processes in the governmental and private sector, the use of Hanko (a personal stamp used for personal/business/public documents), etc. In that traditional environment, the use of credit cards and other electronic payment methods have been introduced in the recent quinquennium without bumps in the road, like the loss of customer’s money to hackers from the Seven-Eleven Payment System 7Pay [1]. One of the factors that contribute to have such slow adoptions of electronic payment systems, for example, is the false sensation of security when it comes to transactions due to the image of safety society that Japan shows to the world [2].

It is also well known that Japanese organizations have been impacted due to different information security attacks during the last decade, being the ones that generated a great deal of media attention: the leaked of 12.6 million personal records in 2016, the previously mentioned 7Pay, etc. [3].

In addition to the dramatic increase in number of attacks due to the Covid-19 Pandemic, Japan has the same problem as other G7 countries, shortage of Cyber Security, which is projected to be around 193,000 professionals in 2020 and increasing due to Covid-19 is pushing companies to move their business online [4, 5, 6, 7].

With this increased in Security attacks, also attacks that are directed to Industrial Control Systems (ICS) have increased dramatically as well [8].  It is interesting to note that Japan has its own story of Security attacks against Industrial Control Systems (ICS), although not as abundant as US or Europe. The main officially reported incidents were (until 2017) [9]:

Year: 2005

Case Summary: Leak of atomic power plant’s confidential information via file sharing software.

Cause: Malware infection of an employee’s home PC storing confidential information.

Year: 2006

Case Summary: Leak of thermal power plant’s confidential information via file sharing software.

Cause: Malware infection of an employee’s home PC storing confidential information.

Recently, the attack against Honda’s factories indicates a new level of attack where the kinetic impact on the target was considerable [10]. IT related consequences of the attack payload were: employees were not able to use internal systems, inability to access servers, and inability to use email; while the kinetic impact of this attack was associated to halt operations in Honda’s factories located in Japan, UK, Turkey, USA and Italy [10, 11]. While there is no conclusions from the internal investigation on the attack, Honda had RDP accessible server facing the internet, which based on the analysis of Malwarebytes, there is clear evidence this could have been the attack vector used in order to compromise Honda’s IT infrastructure and cause economic losses as a potential collateral damage by the EKANS ransomware [12, 13].

Figure 1. Function responsible for performing DNS query [12]

Here are two important differences between the attack to Honda and the one to Enel:

While the ransom email is the same in both cases, here are two important differences between the attack to Honda and the one to Enel [12]:

Honda

Resolving internal domain: mds.honda.com

Exposed RDP: /AGL632956.jpn.mds.honda.com

Enel

Resolving internal domain: enelint.global

Exposed RDP: /IT000001429258.enelint.global

Interestingly enough, the same EKANS ransomware is also responsible for the attack against Edesur S.A., a company who belongs to Enel an Argentinian Electric Company, which could prove that Industrial Control Systems (ICS) became one of its main targets [12, 13, 14].

Additional screenshots of the RDP access to the specific Honda and ENEL publicly accessible servers can be found here: https://twitter.com/1ZRR4H/status/1270066266137559042?s=20

Conclusions:

1. Japan false sensation of secured information (which comes from the false Japanese society’s sensation of security) needs to be updated in the near future in order to improve the methods and controls used to secure information across different organizations
2. Attacks are increasing in general during the Covid-19 period, not only against company information but also against Industrial Control Systems (ICS)
3. Reasons of the Honda and Enel attacks could vary from specific business purposes to attempts to disrupt normal operations in those specific targets
4. Ransomware campaigns are still having great impact in organizations around the world, the more complex the organization is (with large number of assets) the more important is to have multi layer controls in place and a well-tested DR environment
5. As the same as Stuxnet, EKANS is the newest member of a small family of highly targeted attacks against ICS infrastructure where specific entry points or payloads strategies are embedded in the malicious code
6. EKANS differentiate itself from other ICS targeted attacks in using a more common entry points as RDP in order to deliver the malicious payload in the impacted machine/network
7. The attack against Honda represents (based on officially reported information) the first large size ICS attack against a Japanese automaker
8. Previous ICS related attacks against Japanese organizations were infections in company endpoints connected to user’s home internet connection
9. Attacks originated in not secure home network environments against not-well managed or BYOD devices will increase due to ongoing Covid-19 Pandemic and the new Working from Home (WFH) company strategy
10. Japanese organizations, of all sizes and business niches, need to see the opportunities available in their organizations to improve security methods and controls

References

[1] Another 7pay system defect left personal data of users exposed The Asahi Shimbun 

[2] Four firms with links to Japan's Defence Ministry hacked - The Straits Times

[3] 12.6 million cases of personal information leaked in Japan in 2016, survey shows - Japan Times

[4] What the Data Is Telling Us About the Current Rise in Security Threats During the COVID-19 Pandemic

[5] Cyber Security Talent Shortage in Japan - Accenture Security

[6] 71% of Security Pros See Threats Jump Since COVID-19 Outbreak - Dark Reading

[7] Addressing the Cyber Security Talent Gap - Dennis Ludena

[8] Critical infrastructure cyber attacks on the rise - EET Asia

[9] An Analysis of the Actual Status of Recent Cyberattacks on Critical Infrastructures, NEC, Matsuo Noguchi, and Hirofumi Ueda, NEC Security Research Laboratory, NEC Technical Journal, Vol. 2, 2017

[10] Honda's global operations hit by cyber-attack - BBC News

[11] ICS Threat Snake Ransomware Suspected in Honda Attack - Dark Reading

[12] Honda and Enel impacted by cyber attack suspected to be ransomware - Malwarebytes Labs

[13] EKANS Ransomware and ICS Operations - Dragos

[14] Edesur Argentina - Twitter