Hoya Corporation: Ransomware Attack Timeline
Date: 11 June 2024
Hoya Corporation is one of the world's leading optical products manufacturers. It recently became victim of a massive cyber crime. The Ransomware gang demanded a whopping $10 million ransom to decrypt what they claimed was 2 TB of data. Know all about what happened next and how Hoya Corp implemented effective Cyber Incident Response to get its production plants and ordering systems up and running again.
Topics covered in the Hoya Corp Ransomware Attack Timeline:
1. The Incident
2. The Impact
3. Actions Taken by Hoya Corp
This is a summary image of at the Attack Timeline. The complete details in chronological order are covered in the sections below:
Our educational cyber-attack timelines intend to present cyber attacks in a chronological and easy-to-understand format. We break down each cybersecurity incident into bite-sized points. This helps you understand the modus operandi of cyber criminals and response strategies that work and those that don't.
More importantly, a retrospective look at recent major cyber attacks from your industry can inspire Cyber Security Tabletop Exercise Scenarios for your organisation. Cyber Crisis Tabletop Exercises are crucial for enhancing your organisation's cyber resilience. They simulate real-life attack scenarios, helping your team practice and refine their response strategies.
Cyber Tabletop Exercises identify weaknesses in your incident response plan and build muscle memory for effective decision-making during actual cyber events. Regular tabletop exercises ensure your team is prepared and confident in handling cyber crises.
The Incident - Hoya Corp
- April 04, 2024: Hoya Corp Systems go Offline - According to various sources like BleepingComputer and The Recorded Future, Hoya Corporation, one of the largest global manufacturers of optical products, said a "system failure" caused servers at some of its production plants and business divisions to go offline on March 30, 2024.
The company said in a statement given on its official website: - “In the morning of March 30, 2024, we discovered a discrepancy in system behaviour at one of our overseas offices and confirmed that a system failure had occurred.”
- “We immediately responded by isolating the failed servers and reported the matter to the relevant authorities in the affected countries.”
- “We also engaged external forensic investigators who reported that this incident was most likely caused by unauthorised access to our servers by a third party.”
- April 10, 2024: Hunters International demands $10 million ransom - BleepingComputer said that a recent cyber attack on Hoya Corporation was conducted by the 'Hunters International' ransomware operation, which demanded a $10 million ransom for a file decryptor and for not releasing files stolen during the attack.
- April 10, 2024: BleepingComputer said no files were released on the Hunters International site and the threat actors did not publicly claim responsibility for the attack on Hoya. LeMagIT, however, posted evidence in the form of screenshots from the ransomware operation's negotiation panel that victims use to negotiate a ransom payment.
- April 10, 2024: Hackers had allegedly stolen 1.7 million files adding up to 2 TB of data - LeMagIT published a report saying: “The cybercrime group Hunters International publicly revealed its involvement in the attack against Hoya to stakeholders.”. In fact, although the group did not publicly claim responsibility for this attack at the time of publishing, it appears to be involved. LeMagIT said according to its information, a ransom amount was initially demanded and the cybercriminals claimed to have stolen more than 1.7 million files for a total of 2 TB of data.
- April 10, 2024: LeMagIT said threatening to mass inform customers, partners, employees and competitors of a victim was part of Hunters International’s modus operandi. They also applied a no-negotiation policy to some of their victims, which they did for Hoya, according to information that was brought to LeMagIT’s attention. A negotiator might have initially offered 1.5 million dollars, in vain, then 4 million, still in vain, coming up against an openly intractable cybercriminal, as per sources.
- April 15, 2024: CyberEra and Teiss published a statement given by Hoya which said:
- “Hoya is also assessing the situation for any material impact on its business performance and assured its customers that it will share more information about the incident as and when available,”
- “Hoya’s consumer eyeglass lens unit, Hoya Vision Care Co, apologised to customers on Tuesday for pausing order bookings for lenses due to a group-wide system failure”.
- April 24, 2024: Hoya gave an update regarding the restoration of the affected systems: “Our restoration process of Hoya Vision Care systems affected by the incident is substantially complete and the majority of affected labs are now open. We are, however, experiencing slight delays as we work through backlogs and hope to get back to our standard delivery schedule as soon as possible”.
The Impact on Hoya Corp & Customers
- April 04, 2024: Hoya described the impact of the incident in the following statements:
- “While the full effects, extent and nature of the incident continue to be investigated, the systems for some production plants and the ordering system for several products have been affected.”
- “The Company is making every effort to respond to customer demand and minimise the impact on our customers to the greatest extent possible.”
- “We are also investigating whether any confidential or personal information held by the Company has been compromised or accessed by third parties, but the full analysis is expected to take a considerable number of days.”
- “We will fully comply with our internal policies and local regulations as needed depending on the results discovered.”
- April 04, 2024: According to BleepingComputer, Hoya said: “Through the ongoing investigation, we have confirmed an unauthorised third party gained access to certain servers of our Group and exfiltrated a limited number of files. If we learn sensitive information about your organisation was affected, we will promptly notify you and regulators, as appropriate”.
- April 10, 2024: BleepingComputer said as first reported by LeMagIT, Hunters International demanded a $10 million ransom not to release an alleged 1.7 million stolen files, amounting to 2 TB of data. This ransom demand was also confirmed independently by BleepingComputer.
Actions taken by Hoya Corp
- April 04, 2024: Hoya’s official platform shared information on actions taken, saying: “We will continue to investigate and analyse the impact of this incident in cooperation with outside experts and relevant authorities, and will take measures to restore the systems necessary for production and sales activities and to resume the supply system of products to customers as soon as possible”.
- April 04, 2024: As per BleepingComputer’s report, Hoya promptly responded to a server failure by isolating the affected servers and informing the relevant authorities in the impacted countries. The source said the optics company also hired outside forensic investigators who determined that the incident was most likely caused by a third party gaining unauthorised access to their servers.