Asahi Group Holdings Breach Incident Score: Analysis & Impact (ASA4032640112725)

In this Rankiteo incident briefing, we review the Asahi Group Holdings breach identified under incident ID ASA4032640112725.

The analysis begins with a detailed overview of Asahi Group Holdings's information like the linkedin page: https://www.linkedin.com/company/asahigroup-holdings, the number of followers: 202985, the industry type: Food and Beverage Services and the number of employees: 1129 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 719 and after the incident was 605 with a difference of -114 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on Asahi Group Holdings and their customers.

On 29 September 2023, Asahi Group Holdings, Ltd. disclosed Ransomware Attack issues under the banner "Ransomware Attack on Asahi Group Holdings".

Japanese beer giant Asahi Group Holdings, maker of Asahi Super Dry, was hit by a sophisticated ransomware attack in late September 2023.

The disruption is felt across the environment, affecting Corporate IT systems, Financial reporting systems and Order processing systems.

In response, teams activated the incident response plan, moved swiftly to contain the threat with measures like Isolation of affected systems and Manual order processing to mitigate supply chain disruptions, and began remediation that includes System restoration (ongoing as of December 2023) and Gradual resumption of production, while recovery efforts such as Expected full system recovery by February 2024 continue, and stakeholders are being briefed through Public press conference by CEO Atsushi Katsuki, Delayed financial disclosures with promises of transparency post-recovery and Apologies to customers for inconvenience.

The case underscores how Ongoing (as of December 2023), teams are taking away lessons such as The attack was described as 'beyond imagination' in sophistication, indicating gaps in Asahi's cybersecurity preparedness, CEO acknowledged that existing preventive measures were insufficient against advanced threats and Highlighted broader cultural issues in Japan regarding cybersecurity investment and prioritization, and recommending next steps like Increase cybersecurity investments without solely focusing on ROI justification, Enhance threat detection and response capabilities for sophisticated attacks and Improve incident response planning to minimize operational downtime, with advisories going out to stakeholders covering Delayed financial results will be disclosed once systems are restored and Gradual resumption of production and shipments in progress.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Valid Accounts (T1078) with moderate to high confidence (70%), supported by evidence indicating high_value_targets included Corporate IT systems and Financial data (implies credential abuse) and Exploit Public-Facing Application (T1190) with moderate confidence (60%), supported by evidence indicating sophisticated ransomware attack with no specified vector (common for public-facing app exploits). Under the Execution tactic, the analysis identified Exploitation for Client Execution (T1203) with moderate to high confidence (80%), supported by evidence indicating beyond imagination sophistication suggests exploit-based execution (e.g., zero-day or unpatched vuln). Under the Persistence tactic, the analysis identified Valid Accounts: Local Accounts (T1078.003) with moderate to high confidence (70%), supported by evidence indicating 3-month downtime suggests persistent access via compromised local/admin accounts. Under the Privilege Escalation tactic, the analysis identified Valid Accounts: Default Accounts (T1078.001) with moderate confidence (60%), supported by evidence indicating system-wide shutdowns imply domain/admin-level privileges (common via default credential abuse). Under the Defense Evasion tactic, the analysis identified Impair Defenses: Disable/Modify Tools (T1562.001) with high confidence (90%), supported by evidence indicating isolation of affected systems (implies attackers disabled security tools to evade detection) and Indicator Removal: File Deletion (T1070.004) with moderate to high confidence (80%), supported by evidence indicating data encryption such as true (ransomware typically deletes backups/shadow copies). Under the Credential Access tactic, the analysis identified OS Credential Dumping (T1003) with moderate to high confidence (85%), supported by evidence indicating system-wide shutdowns across 30 factories suggest lateral movement via dumped credentials. Under the Lateral Movement tactic, the analysis identified Remote Services: Remote Desktop Protocol (T1021.001) with moderate to high confidence (75%), supported by evidence indicating disruption across Corporate IT systems and Financial reporting systems implies RDP/remote service abuse. Under the Impact tactic, the analysis identified Data Encrypted for Impact (T1486) with high confidence (100%), with evidence including data encryption such as true, and ransomware attack with 3-month downtime and Inhibit System Recovery (T1490) with high confidence (95%), supported by evidence indicating manual order processing and gradual resumption imply recovery mechanisms were sabotaged. Under the Command and Control tactic, the analysis identified Application Layer Protocol (T1071) with moderate to high confidence (80%), supported by evidence indicating 3-month persistence suggests C2 via common protocols (e.g., HTTPS/DNS tunneling). These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.