Security Experts:

Connect with us

Hi, what are you looking for?



Honda Ransomware Confirms Findings of Industrial Honeypot Research

Multistage targeted ransomware attacks against critical infrastructure, designed to maximize damage and recovery costs, are increasingly common. An analysis of a honeypot-captured attack demonstrates the three basic stages of intrusion, persistence and lateral movement, and simultaneous detonation on as many systems as possible.

Multistage targeted ransomware attacks against critical infrastructure, designed to maximize damage and recovery costs, are increasingly common. An analysis of a honeypot-captured attack demonstrates the three basic stages of intrusion, persistence and lateral movement, and simultaneous detonation on as many systems as possible.

The attack was captured by Cybereason’s 2020 honeypot research. Similar to a 2018 study, the research used a honeypot designed to look like an electricity company with operations in North America and Europe. In 2018, the system was infiltrated with backdoors suggesting the attacker intended to sell access on the dark web. This year the researchers “identified multiple attackers executing ransomware operations involving data theft, the stealing of user credentials, and lateral movement across the victim’s network to compromise as many endpoints as possible.” Combined, the research indicates that cybercriminals are increasingly targeting critical infrastructure companies with increasingly dangerous attacks.

The Cybereason honeypot masqueraded as part of an electricity generation and transmission provider’s network, including IT, OT, and HMI environments. Initial access was gained by the attackers through remote administration interfaces and brute forcing an Administrator account. (The report does not indicate the strength of the account password, although we can assume that MFA was not involved.)

Through this account, the attackers uploaded a PowerShell script that created a backdoor user account called ‘Admin’. This ensured future access and created persistence that allowed the attackers to upload additional attack tools. One of these was Mimikatz, which was used to steal user credentials for lateral movement beyond the initial compromised server. In this instance, it failed because none of the credentials obtained could access the domain controllers. Instead, the attackers used a network scanner to discover additional endpoints. Only after as many endpoints as possible were detected and compromised was the ransomware simultaneously detonated.

The report is lacking in many details. It does not name the ransomware or ransomware strains used against the honeypot. It does not indicate how many endpoints may have been compromised. It does not say whether both the IT and OT sides of the environment were compromised. It does not give any indication of the date or duration of the attack or attacks, and there is no mention of a ransom note, nor any details of the ‘data theft’ element of the attacks.

Nevertheless, the basic findings and conclusions from this research are almost certainly accurate. Firstly, critical industries are increasingly being targeted with ransomware; and secondly, attackers are seeking to embed themselves deeply within the victim network in order to maximize the damage done on detonation.

This premise is immediately confirmed by the news of a major ransomware attack against the Japanese Honda motor manufacturer this week. It is not, at the time of writing, confirmed to be ransomware; but security researchers are increasingly confident that the SNAKE ransomware is involved. Honda has merely confirmed that “a cyber-attack has taken place on the Honda network,” and “There is also an impact on production systems outside of Japan.”

In fact, production has been suspended at plants in Swindon, UK, and in North America, Turkey, Italy, and Japan. “Snake ransomware,” comments Morgan Wright, chief security advisor at Sentinel One, “is designed to attack industrial control systems networks. The fact that Honda has put production on hold and sent factory workers home points to disruption of their manufacturing systems.”

Learn More About Industrial Cybersecurity at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits Virtual Event Series

This confirms Cybereason’s conclusions that critical industry manufacturing is now a primary target for ransomware — just as the simultaneous shutting of different plants around the world confirms the practice of stealthy lateral movement combined with simultaneous detonation for maximum effect.

Honda told Forbes on Wednesday, “Honda has experienced a cyberattack that has affected production operations at some U.S. plants. However, there is no current evidence of loss of personally identifiable information. We have resumed production in most plants and are currently working toward the return to production of our auto and engine plants in Ohio.”

With no detailed explanation of the events from Honda, there is little that can be said with confidence. If it is ransomware, it is a good example of the multi-stage attacks described by Cybereason. For now, we must wait for more details from Honda. The ability to shut multiple plants in multiple countries simultaneously points to extensive attacker dwell time, which also points to sophisticated attackers. The rapid resumption of production ‘in most plants’ points to effective breach response and recovery capabilities — or payment of a ransom.

Related: Israel Says Hackers Targeted SCADA Systems at Water Facilities 

Related: Mexican Oil Company Pemex Hit by Ransomware 

Related: Public ICS Hacking Tools Make It Easier to Launch Attacks: FireEye 

Related: The Rise of ICS Malware: Industrial Security Threats Are Becoming More Surgical

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...