Toyota has confirmed its network was breached after a threat actor listed a 240GB trove of data stolen from the company’s internal systems on an underground hacking forum.
The Japanese car manufacturer admitted its systems had been compromised on 19 August, after a threat collective operating under the name ZeroSevenGroup said it breached one of the firm’s US branches.
The cache is said to contain sensitive personal information on the company’s staff and customers, including financial information, emails, photos, databases, and network infrastructure, according to ZeroSevenGroup.
There is still speculation about the particular system compromised by the group, and whether or not the attackers compromised an internal Toyota system or gained access through an independent third party.
ITPro approached Toyota for clarification, and received the following statement:
"Toyota Motor North America was not the subject of this activity. Contrary to what has been reported, our systems were not breached or compromised. The cited post appears related to a third-party entity that is misrepresented as Toyota. Toyota takes cybersecurity very seriously and we will work to address the concerns of those involved."
The attackers used the ADRecon tool to quickly identify and extract large volumes of information from the Active Directory of the affected system, including credentials for critical network infrastructure.
Akhil Mittal, senior security consulting manager at the Synopsys Software Integrity Group said the use of ADRecon underlines the level of sophistication of current cyber threats.
“The fact that hackers used a tool like ADRecon to break into Toyota’s systems shows how advanced cyber threats are getting. ADRecon can dig deep into a company’s network and pull out a lot of detailed information, which is quite alarming.”
“This isn’t just Toyota’s problem. It shows that traditional security measures may no longer be enough. We need to shift to a proactive, intelligence-driven approach to stay ahead of these sophisticated threats. This means investing in better threat detection, conducting regular security assessments, and having a solid incident response plan in place."
The files appear to have been created, or stolen, on 25 December 2022, according to reporting from Bleeping Computer, which could indicate the date the attackers gained access to the server in question.
Toyota still struggling with IT failings
This marks the latest in a string of IT incidents affecting the world’s largest automobile manufacturer.
In November 2023, the company’s financial operations division, Toyota Financial Services (TFS), was listed on the Medusa ransomware group’s data leak site on the dark web.
Although not caused by a cyber attack, a server maintenance error led to 14 Toyota manufacturing plants being forced to shut down in September 2023.
May 2023 saw the revelation that a cloud configuration error had meant data belonging to over 2 million Toyota customers was left exposed for ten years.
Less than a year earlier, in October 2022, the firm discovered a server holding the data of nearly 300,000 customers was publicly accessible for the previous five years.
Jason Kent, hacker in residence at Cequence, noted the Japanese car manufacturer’s recent IT struggles, outlining how this most recent incident was possible.
“Toyota is at it again. After having a few blips with insecure cloud servers they have been able to stay out of the news but not out of sight to attackers. The battle that is constantly waging against global organizations is why we often see a small mistake lead to huge issues,” he explained.
“In this case, Toyota had a server that they claim wasn’t really important, breached. They also lost a bunch of internal credentials as tools that harvest things on a network, were installed and data was exfiltrated to the attackers servers. The unimportant server however, appears to be some sort of backup. This means that transactions, accounts, customer data, that is actually still relevant were taken.”
