As one of the world’s largest automobile manufacturers, Toyota Motor Corp. has a diverse supply chain to support its business operations with over 300 suppliers.

Over the years, Toyota has integrated some of its suppliers into its operations, but still kept many third-party vendors under contract. That means that like many other companies with complex supply chains, Toyota has to rely on the quality and stability of its supplier’s cyber security systems.

With today’s interconnected networks, cybercriminals are becoming increasingly efficient in identifying the weakest link in a supply chain, knowing that the biggest damage can come from compromising the smallest business unit.

But finding these threats isn’t an easy task.

Take for example the post below taken from hacking forum Exploit. The threat actor is offering VPN access to what he describes as “a company [that] specializes in the sale and maintenance of Kia, Mazda, Mitsubishi, Toyota and Lexus vehicles.” Although he doesn’t mention the company’s name, which is a typical move by hackers on such forums, the post makes it clear that in case this company is breached, it will affect Kia, Mazda, Mitsubishi and Toyota.

The recent cyber attacks against Toyota’s suppliers

Recently, two Toyota suppliers were hit by cyber attacks, two weeks apart, resulting in a complete halt to the company’s production.

One of the attacks targeted Kojima Industries Corp., a manufacturer of automotive parts, and the other hit Denso Corp., a global automotive manufacturer.

The image below is taken from the Pandora leak site that was recently created on the TOR network. Pandora group has already posted several leaks on the site, one of them, dated from March 16, is Denso’s leak.

This is not the first time Denso suffered a breach. A few months earlier, in late 2021, they were the victims of a ransomware attack, launched by the Rook ransomware group:

Following these attacks, we used our Cyber API to look for early signs that Denso was at risk of a cyber attack.

We came across mentions of Denso in two different login credential marketplaces with dozens of mentions. The oldest post dates back to March 2020 and the latest one (at the time of writing) was posted March 13, 2022, on the same day the breach was published. This is an indication that it is probably not related to the attack but at the same time, shows Denso is still exposed to potential cyber threats.

With supply chain risk proving to pose a real threat to the operations of companies, our cyber team took a closer look to see if there are other Toyota suppliers at risk of future cyber attacks.

What supply chain risks is Toyota still facing?

A short list of Toyota’s suppliers include Tesla Motors, Bridgestone Americas, Infineon Technologies, Microchip Technologies, Renesas, Panasonic and Mitsubishi.

By using Webz.io’s Cyber API, we have been able to find mentions of all these companies on the dark web.

Here are some cyber risks we have found:

Vulnerabilities

We have found several posts on the Cxsecurity site, which provides tutorials on how to exploit vulnerabilities. Here is an example:

Malware

Below is an example of malware threats, which was taken from Magbo, a dark web marketplace used by threat actors to post shell backdoors on a daily basis. These shell backdoors allow access to a wide range of websites and services.

In this example, the threat actor offers a shell that enables its users to embed a code into a Tesla page. It has a similar operational pattern as the keylogger that steals users credentials or cookies that can give unlawful access to the site.

Compromised accounts

Denso login credentials are not the only ones up for sale. Countless companies are appearing in login credential marketplaces and hacking forums. Among them, you can find Toyota suppliers, such as Bridgestone Americas, Infineon, Microchip Technologies, Renesas.

We have found compromised login credentials which increase the risk for unlawful access to their network and a possible data breach.

In the next example (see image below), a threat actor is offering compromised Tesla accounts on Wwh-club, a Russian hacker forum, the image is taken from Webz.io’s Cyber API:

Here are other examples for login credentials from 3 different login marketplaces: Russian Market, Genesis and 2easy:

All of the examples we have listed represent a very small part of supply chain risks that can be found in the dark web. We witness tens of thousands of company identifiers mentioned in a negative or potentially dangerous context every day.

Monitoring deep and dark web data can help companies not only track mentions that are directly linked to their own business but also threats to their suppliers that can threaten their organization. A reliable and wide coverage of deep and dark web data is key to learning about emerging threats and even preventing imminent attacks in today’s interconnected world.