Business Continuity Management / Disaster Recovery , Cybercrime , Cybercrime as-a-service
Panasonic Breached Again; Conti Takes Responsibility
Breached Twice in Six Months; Company Says It Is Investigating Current IncidentJapanese multinational conglomerate Panasonic has been breached for the second time within six months. In February 2022, its Canadian operation discovered that it was a victim of a targeted cybersecurity attack affecting some of its systems, processes and networks.
See Also: Gartner Market Guide for DFIR Retainer Services
[ALERT] Conti ransomware gang has announced "PANASONIC" on the victim list. pic.twitter.com/LVptUzjF32
— DarkTracer : DarkWeb Criminal Intelligence (@darktracer_int) April 5, 2022
"We took immediate action to address the issue with assistance from cybersecurity experts and our service providers. This included identifying the scope of impact, containing the malware, cleaning and restoring servers, rebuilding applications, and communicating rapidly with affected customers and relevant authorities," Airi Minobe, an official spokesperson at Panasonic's corporate headquarters in Japan tells Information Security Media Group.
Minobe says the company worked diligently to restore operations and to understand the impact on customers, employees, and other stakeholders.
The ongoing investigation has confirmed that the incident only affected the Canadian operation, and the company is continuing to work closely with affected parties to fully mitigate any impacts from this incident, according to Minobe.
The electronics giant, headquartered in Osaka, Japan, is yet to reveal the nature/ type of attack and disclose details about whether any data was stolen.
Who’s Responsible?
VX-Underground, a group of malware researchers, has confirmed that the Conti Ransomware-as-a-Service gang is behind this attack at Panasonic Canada. The gang also released details about its attack at its leak site where around 2.62GB of data is listed.
Conti ransomware group has ransomed @PanasonicNA pic.twitter.com/9hV4ot471R
— vx-underground (@vxunderground) April 5, 2022
After the first attack in November 2021,Panasonic disclosed a security breach that it said involved unnamed threat actors accessing servers on its network. The company said "its network was illegally accessed by a third party on Nov. 11, 2021. As the result of an internal investigation, it was determined that some data on a file server had been accessed during the intrusion." (See: Japanese Electronics Giant Panasonic Discloses Data Breach). (See Also: Shutterfly Acknowledges Hit by Ransomware Attack).
Cian Heasley, security consultant at Adarma, tells ISMG: "The attack on Panasonic's Canadian business that has been attributed to the Conti ransomware gang shows that, although Conti has suffered what seems to be a schism over the Russian invasion of Ukraine, and significant public leaks of their internal chats, tools and training materials, they are still very much a force to be reckoned with."
"Securing large enterprises at scale is very challenging, as there are a lot of moving parts and robust security is always an ongoing journey, not a destination. Security logs need to be monitored and analyzed, software and systems need to be regularly updated, staff needs to be trained to be security vigilant and there needs to be a real awareness of what systems are potentially vulnerable to external attack," Heasley says.
Poorly Handled Cloud Resource?
"Panasonic is a well-established global brand and company and has a deep and talented team of security professionals working around the clock to secure its assets. Only insiders at the company would know this with certainty, but the company could be dealing with technical debt from legacy applications and infrastructure, while at the same time innovating and following current trends to move to the cloud," says Ken Westin, director of the security strategy at Cybereason. "Therein lies the security challenges on a daily basis."
Westin says that this hybrid type of environment is raising security challenges that smaller and newer companies may not be dealing with because they are already cloud-native. In addition, the pandemic and supply chain issues have also hit companies such as Panasonic a bit harder than others, which also has had an impact on resources available, whether people or technology to deploy and secure infrastructure.
"One of the biggest challenges facing Panasonic, and all public and private organizations, is improving their understanding of the scope of an incident as it is occurring. If they did not identify either the root cause or full scope of the incident, it is highly likely that it will occur again. For instance, how did the attacker gain access to the environment, was it phishing, RDP, or an exploit? If unanswered, the attackers might strike again," Westin says.
Erfan Shadabi, cybersecurity expert at comforte AG, also believes that some of the biggest and most public data breaches can be traced back to unsecured or poorly protected data residing within cloud resources. He tells ISMG: "Most cloud providers offer only the most basic security features, especially at bare-bones price points, which simply won't cut it if your highly sensitive information (PII, transactional information, intellectual property) is destined for the cloud."
Conti Ransomware
Conti is one of the most prevalent types of ransomware. It was developed by a long-running Russian cybercrime group known as Wizard Spider, according to CrowdStrike. The group is believed to be responsible for the TrickBot malware/botnet code as well as the Ryuk and BazarLoader strains of ransomware.
The Conti group and its affiliates have prolifically attacked hundreds of organizations, including Ireland's Health Service Executive in May 2021. The health service, which did not pay the ransom and called on its military to recover, recently said it spent $48 million recovering from the attack. It warned the figure may still rise to $110 million (see: Ransomware Attack: Ireland's Cleanup Costs Hit $48 Million).
Conti is aggressive and antagonizes its victims. If victims refuse to pay the ransom, it slowly leaks their sensitive data on its website. That means that even if an organization has good backups and a disaster recovery plan, they still potentially face pain from leaked data.
Voicing support for Russia amid the global condemnation of the country's attack on Ukraine was a risky move for Conti. In February, the Conti gang published a short post on a website it uses to leak the data of organizations it has compromised.
It wrote that it fully supported the Russian government and that if anyone organized a cyberattack against Russia, it would use all of its resources to strike back at the "critical infrastructures of an enemy."
That post was quickly removed and another post expressing essentially the same sentiment had been published, but with a new addition that tried to temper its position: "We do not ally with any government and we condemn the ongoing war."
Recommendations
Organizations need to identify the full impact of a breach as the trail may go cold regarding the data they have available, but that doesn't mean the attacker didn't establish persistence or pivot to an unmonitored environment such as cloud infrastructure, Westin says. He adds that organizations that have visibility to see the full scope of an incident are in a better position to tighten their security controls based on a postmortem of the incident and increase their overall security posture.
Shadabi says these types of attacks continue to evolve in sophistication and cleverness.
"Enterprises need to remain focused on the basics: develop a defensive strategy incorporating more than just perimeter-based security, don't assume that cloud-based services are inherently safe without proper due diligence, and put a priority on emerging data-centric security methods such as tokenization and format-preserving encryption, which can apply protections directly to the sensitive data that threat actors are after," Shadabi says. "Tokenizing data as soon as it enters your enterprise workflows means that business applications and users can continue to work with that information in a protected state, but more importantly if the wrong people get hold of it, either inadvertently or through coordinated attacks like this one, the sensitive information remains obfuscated so that threat actors cannot leverage it for gain."
Heasley says recovering from a ransomware attack like this is certainly difficult but not impossible. Having been involved in the response to a similar incident himself, Heasley says the whole operation can be painstaking and there is no margin for error.
"Any slip up when dealing with the compromise of many systems on a large network could result in the attackers regaining a foothold, which would be disastrous," Heasley says.