ICS Attacks in Japan
Japan is well known internationally as a peaceful, well
organized society where citizens obey the law and are compliant with rules
across different governmental institutions. Spite of some internal problems
like ageing society, sinking birthrate and now the economic consequences of the
ongoing Covid-19 pandemic, Japan has done a great job into keeping its society
under very traditional structures. Examples of how Japan is keeping parts of
their society traditional is the banking system which continue using passbooks
in order to allow the users to have records of their transactions, the
existence of paper based processes in the governmental and private sector, the
use of Hanko (a personal stamp used for personal/business/public documents),
etc. In that traditional environment, the use of credit cards and other electronic
payment methods have been introduced in the recent quinquennium without bumps
in the road, like the loss of customer’s money to hackers from the Seven-Eleven
Payment System 7Pay [1].
One of the factors that contribute to have such slow adoptions of electronic
payment systems, for example, is the false sensation of security when it comes
to transactions due to the image of safety society that Japan shows to the
world [2].
It is also well known that Japanese organizations have been
impacted due to different information security attacks during the last decade,
being the ones that generated a great deal of media attention: the leaked of
12.6 million personal records in 2016, the previously mentioned 7Pay, etc. [3].
In addition to the dramatic increase in number of attacks
due to the Covid-19 Pandemic, Japan has the same problem as other G7 countries,
shortage of Cyber Security, which is projected to be around 193,000
professionals in 2020 and increasing due to Covid-19 is pushing companies to
move their business online [4, 5, 6,
7].
With this increased in Security attacks, also attacks that
are directed to Industrial Control Systems (ICS) have increased dramatically as
well [8].
It is interesting to note that Japan has
its own story of Security attacks against Industrial Control Systems (ICS),
although not as abundant as US or Europe. The main officially reported
incidents were (until 2017) [9]:
Year: 2005
Case Summary: Leak of atomic power plant’s confidential
information via file sharing software.
Cause: Malware infection of an employee’s home PC storing
confidential information.
Year: 2006
Case Summary: Leak of thermal power plant’s confidential
information via file sharing software.
Cause: Malware infection of an employee’s home PC storing
confidential information.
Recently, the attack against Honda’s factories indicates a
new level of attack where the kinetic impact on the target was considerable [10]. IT related
consequences of the attack payload were: employees were not able to use
internal systems, inability to access servers, and inability to use email;
while the kinetic impact of this attack was associated to halt operations in
Honda’s factories located in Japan, UK, Turkey, USA and Italy [10, 11].
While there is no conclusions from the internal investigation on the attack,
Honda had RDP accessible server facing the internet, which based on the
analysis of Malwarebytes, there is clear evidence this could have been the
attack vector used in order to compromise Honda’s IT infrastructure and cause
economic losses as a potential collateral damage by the EKANS ransomware [12, 13].
Figure 1. Function responsible for performing DNS query [12]
Here are two important differences between the attack to
Honda and the one to Enel:
While the ransom email is the same in both cases, here are
two important differences between the attack to Honda and the one to Enel [12]:
Honda
Resolving internal domain: mds.honda.com
Exposed RDP: /AGL632956.jpn.mds.honda.com
Enel
Resolving internal domain: enelint.global
Exposed RDP: /IT000001429258.enelint.global
Interestingly enough, the same EKANS ransomware is also responsible for the attack against Edesur S.A., a company who belongs to Enel an Argentinian Electric Company, which could prove that Industrial Control Systems (ICS) became one of its main targets [12, 13, 14].
Additional screenshots of the RDP access to the specific Honda
and ENEL publicly accessible servers can be found here: https://twitter.com/1ZRR4H/status/1270066266137559042?s=20
Conclusions:
- Japan false sensation of secured information (which comes
from the false Japanese society’s sensation of security) needs to be updated in
the near future in order to improve the methods and controls used to secure
information across different organizations
- Attacks are increasing in general during the Covid-19
period, not only against company information but also against Industrial
Control Systems (ICS)
- Reasons of the Honda and Enel attacks could vary from
specific business purposes to attempts to disrupt normal operations in those specific
targets
- Ransomware campaigns are still having great impact in organizations
around the world, the more complex the organization is (with large number of
assets) the more important is to have multi layer controls in place and a well-tested
DR environment
- As the same as Stuxnet, EKANS is the newest member of a
small family of highly targeted attacks against ICS infrastructure where
specific entry points or payloads strategies are embedded in the malicious code
- EKANS differentiate itself from other ICS targeted attacks
in using a more common entry points as RDP in order to deliver the malicious
payload in the impacted machine/network
- The attack against Honda represents (based on officially
reported information) the first large size ICS attack against a Japanese
automaker
- Previous ICS related attacks against Japanese organizations
were infections in company endpoints connected to user’s home internet
connection
- Attacks originated in not secure home network environments against
not-well managed or BYOD devices will increase due to ongoing Covid-19 Pandemic
and the new Working from Home (WFH) company strategy
- Japanese organizations, of all sizes and business niches,
need to see the opportunities available in their organizations to improve
security methods and controls
References
[1] Another 7pay system defect left personal data of users exposed The Asahi Shimbun
[2] Four firms with links to Japan's Defence Ministry hacked - The Straits Times
[3] 12.6 million cases of personal information leaked in Japan in 2016, survey shows - Japan Times
[4] What the Data Is Telling Us About the Current Rise in Security Threats During the COVID-19 Pandemic
[5] Cyber Security Talent Shortage in Japan - Accenture Security
[6] 71% of Security Pros See Threats Jump Since COVID-19 Outbreak - Dark Reading
[7] Addressing the Cyber Security Talent Gap - Dennis Ludena
[8] Critical infrastructure cyber attacks on the rise - EET Asia
[9] An Analysis of the Actual Status of Recent Cyberattacks
on Critical Infrastructures, NEC, Matsuo Noguchi, and Hirofumi Ueda, NEC
Security Research Laboratory, NEC Technical Journal, Vol. 2, 2017
[10] Honda's global operations hit by cyber-attack - BBC News
[11] ICS Threat Snake Ransomware Suspected in Honda Attack - Dark Reading
[12] Honda and Enel impacted by cyber attack suspected to be ransomware - Malwarebytes Labs
[13] EKANS Ransomware and ICS Operations - Dragos
[14] Edesur Argentina - Twitter
.jpg)
.jpg)
.jpg)
.jpg)
.jpg)
.jpg)
.jpg)
.jpg)
.jpg)
.jpg)
.jpg)
.jpg)
.jpg)
.jpg)