Pandora Ransomware Hits Giant Automotive Supplier Denso

Denso confirmed that cybercriminals leaked stolen, classified information from the Japan-based car-components manufacturer after an attack on one of its offices in Germany.

A multibillion supplier to key automotive companies like Toyota, Mercedes-Benz and Ford confirmed Monday that it was the target of a cyberattack over the weekend – confirmation that came after the Pandora ransomware group began leaking data that attackers claimed was stolen in the incident.

The attack on Japan-based Denso occurred at a company office in Germany, which was “illegally accessed by a third party on March 10,” the company said in a press statement on its website.

“After … detecting the unauthorized access, Denso promptly cut off the network connection of devices that received unauthorized access and confirmed that there is no impact on other Denso facilities,” the company said in the statement.

Infosec Insiders Newsletter

Denso is one of the world’s largest suppliers of automotive components – including powertrain control and electronics parts – to top automobile brands such as Toyota, Mercedes-Benz, Ford, Honda, Volvo, Fiat and General Motors. The Japan-based supplier reported $44.6 billion in revenue last year and has more than 200 subsidiaries with 168,391 employees worldwide.

Denso is currently investigating the incident with appropriate authorities and production continues at “all plants as usual,” according to the statement.

Toyota Data Leaked

However, classified information from Toyota stolen in the attack on Denso already has been leaked on the dark web by Pandora, according to Japanese security firm Mitsui Bussan Secure Directions.

The company told Japanese news outlet NHK that Pandora posted a message on the dark web on Sunday afternoon, Japan time, claiming to have stolen more than 157,000 items amounting to 1.4 terabytes of data belonging to the Toyota Motor group. This is the second time in a few weeks that Toyota has been hit: In late February, the car maker was forced to close down its Japan plants after a suspected cyberattack.

On Saturday, Eastern time, the dark-web criminal intelligence firm DarkTracer tweeted a screenshot of the Denso listing on Pandora’s leak portal. Reports said that the dump includes purchase orders, emails, non-disclosure agreements, technical drawings and other classified information.

On Monday, DarkTracer added that the Rook gang listed Denso on its victim list a few months ago, in December 2021.

It’s unclear at this time if Pandora managed to encrypt files before the most recent attack was detected, nor how much, if any, ransom is being demanded, according to reports. The one-two punch of both encrypting files and then threatening to leak or actually leaking files is a known ransomware tactic dubbed “double extortion.”

Supply-Chain Under Attack

The Denso attack is the second supply-chain cyber incident that has impacted Toyota this year. In February, an attack on Toyota supplier Kojima Industries Corp. forced the company to shut down its Japanese plants.

These incidents demonstrate the danger of attacks to the supply chain of multinational organizations, stressing the need to maintain and manage the same security at the principal company across all partners and business units, one security professional said.

“Cybercriminals will always exploit the weakest link, and in today’s interconnected networks can do significant damage from compromising even a small business unit,” Chris Clements, vice president of solutions architecture at security firm Cerberus Sentinel, wrote in an email to Threatpost on Monday. “It’s no longer enough for businesses to solely focus on their ability to prevent or recover from a ransomware attack as attackers now routinely steal mass quantities of data as part of their operations.”

Indeed, the data theft involved in double-extortion attacks can be even more dangerous than simply a traditional encryption-based ransomware attack due to the unpredictability of attackers once they get their hands on sensitive and proprietary information, he noted.

“There is no way to verify that the attacker will actually delete the information instead of attempting to resell it on the dark web or simply release it publicly,” Clements said.

Emerging Ransomware Threat

The Pandora group is relatively new on the ransomware scene, emerging earlier this month as a new player in the threat landscape that uses this dangerous method of double extortion to blackmail targets.

Pandora’s designers have developed the ransomware to encrypt sensitive files to restrict access by appending the .pandora extension to filenames to prevent victims from opening affected files, according to research from Malware Warrior.

Since Pandora is such a new threat, it’s not yet known how cybercriminals breach corporate networks to infect systems with the ransomware. However, clues might be found in previously active ransomware groups and their methods, researchers said.

One security researcher with the Twitter handle pancak3 believes Pandora is a re-branding of Rook ransomware, which in turn borrows code from Babuk ransomware. That now-defunct ransomware-as-a-service (RaaS) group – which is likely selling its services for other cybercriminals to use – also used double extortion in its attacks during its heyday.

Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our FREE downloadable eBook, “Cloud Security: The Forecast for 2022.” We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.

Suggested articles