CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Asahi Group Holdings Suffers Cyberattack Disrupting Japanese Operations

First reported
Last updated
3 unique sources, 4 articles

Summary

Hide ▲

Asahi Group Holdings, Ltd., Japan's largest brewer, has confirmed a ransomware attack that began on September 29, 2025, and has disrupted operations in Japan. The incident has affected ordering, shipping, customer service activities, and production at some of its 30 domestic factories. The company has confirmed data theft from compromised devices and is working to restore impacted operations. The attack has not affected operations outside of Japan, and no ransomware group has claimed responsibility. Asahi has established an Emergency Response Headquarters and is collaborating with external cybersecurity experts to restore the system. The company has begun partial manual order processing and shipment and aims to gradually resume call center operations. The potential impact on Asahi’s financial results for fiscal year 2025 is under review. Asahi Group Holdings is investigating the source of the disruption and working to restore impacted operations. The company operates four regional branches and holds significant market share in Japan and internationally. The nature of the cyberattack is confirmed as ransomware, which has led to system failures affecting orders, shipments, and call center operations at all subsidiaries in Japan.

Timeline

  1. 03.10.2025 17:51 2 articles · 9d ago

    Asahi Group Holdings confirms ransomware attack and data theft

    Asahi has confirmed an unauthorized transfer of data from its servers. The company isolated affected systems to safeguard critical data, including personal information of customers and business partners. No ransom demand has been issued by the hackers.

    Show sources
    Open in new tab
  2. 29.09.2025 23:44 4 articles · 13d ago

    Asahi Group Holdings Suffers Cyberattack Disrupting Japanese Operations

    The company has begun partial manual order processing and shipment. Asahi aims to partially and gradually resume call center operations, including customer services, during the week starting October 6. The company postponed the launch of a new product scheduled to be released in October due to the cyber-attack. The potential impact of the incident on Asahi’s financial results for fiscal year 2025 is currently under review.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Motility Software Solutions Ransomware Attack Exposes 766,000 Client Records

Motility Software Solutions, a provider of dealer management software (DMS), experienced a ransomware attack on August 19, 2025. The incident exposed the sensitive data of 766,000 customers. The compromised data includes full names, addresses, email addresses, telephone numbers, dates of birth, Social Security numbers, and driver’s license numbers. The attack affected 7,000 dealerships across the United States. The company has implemented additional security measures, restored systems from backups, and established dark web monitoring. No ransomware group has claimed responsibility for the attack. Motility has offered a year of free identity monitoring services to affected individuals.

Open in new tab

KillSec Ransomware Attack on Brazilian Healthcare Software Provider MedicSolution

The KillSec ransomware group has attacked MedicSolution, a Brazilian healthcare software provider. The attack resulted in the exfiltration of over 34GB of sensitive healthcare data, including lab results, X-rays, and patient records. The data was stolen from insecure AWS S3 buckets, exposing the information of over 94,000 files. The breach occurred over several months, and the group is threatening to leak the data unless a ransom is paid. The attack impacts numerous healthcare organizations and patients whose data is managed by MedicSolution. The group has also targeted healthcare institutions in the US, Peru, and Colombia. The attack highlights the risks associated with supply chain vulnerabilities and the need for robust cybersecurity measures.

Open in new tab

Jaguar Land Rover Production Disrupted by Cyberattack

Jaguar Land Rover (JLR) is gradually resuming operations after a severe cyberattack that disrupted its systems and manufacturing plants. The UK government has provided a £1.5 billion loan guarantee to support JLR's supply chain, which has been greatly impacted by the shutdown. The attack, which occurred over the weekend, forced the shutdown of several systems, including those at the Solihull production plant. Customer data appears unaffected, but some data was stolen during the breach. This is the second cyberattack JLR has experienced this year, following a previous incident in March. JLR experienced a 25% drop in volume sales in the three months up to September 30 due to the cyber incident. The suspension of operations has had a severe impact on JLR’s large extended supply chain, resulting in job losses in some of these companies. The company will report its full financial results for Q2 FY26 in November. The cyber incident contributed to production stoppages since the start of September, and sales are likely to continue to be significantly impacted over the coming months. JLR operates under Tata Motors India and produces over 400,000 vehicles annually, with a revenue exceeding $38 billion. The attack impacted the ability to register new cars and supply parts at service points in the UK. The specific type of attack and timeline for recovery remain unspecified. A group identifying as "Scattered Lapsus$ Hunters" has claimed responsibility for the attack, posting screenshots of an internal JLR SAP system on a Telegram channel and stating that they deployed ransomware on the company's compromised systems.

Open in new tab

Akira and Cl0p Lead Most Active Ransomware-as-a-Service Groups in 2025

The first half of 2025 saw a 179% increase in ransomware attacks compared to the same period in 2024. Akira and Cl0p are the most active ransomware-as-a-service (RaaS) groups, targeting manufacturing, technology, and the US. The RaaS model enables lower-skilled actors to launch attacks, contributing to the surge. New tactics include pure extortion, AI-assisted phishing, and exploitation of SonicWall SSL VPN vulnerabilities. Akira has targeted SonicWall devices, exploiting a year-old security flaw (CVE-2024-40766) and misconfigurations, leading to increased threat activity and unauthorized access. The Australian Cyber Security Centre (ACSC) has acknowledged Akira's targeting of vulnerable Australian organizations through SonicWall devices. The recent increase in exploitation of CVE-2024-40766 has been linked to incomplete remediation and misconfigurations, with SonicWall advising immediate patching and security measures. Over the past three months, Akira ransomware attacks have led to a surge in the exploitation of CVE-2024-40766, an improper access control issue in SonicWall firewalls. Akira operators are targeting SSL VPN accounts that use a one-time password (OTP) as the multi-factor authentication (MFA) option. Arctic Wolf observed dozens of incidents tied to VPN client logins from VPS hosting providers, network scanning, Impacket SMB activity, and Active Directory discovery. Akira's dwell times are among the shortest recorded for ransomware, measured in hours. Akira affiliates leveraged pre-installed and legitimate utilities to evade detection, using the Datto RMM tool on a domain controller to execute a PowerShell script and gain full control over the server. The attackers modified registries to evade detection, turned off security features, and dropped various files, including scripts that modified firewall rules. The earliest activity connected to the Akira ransomware campaign began in mid-July 2025, with similar malicious VPN logins tracked back to October 2024. The campaign remains active, with attacks consistent since July 2025, showing a slight decrease around the end of August and early September, and picking up pace again around the end of September 2025. A range of SonicWall devices, including NSA and TZ series devices running versions of SonicOS 6 and 7, have been targeted. SonicOS firmware versions 6.5.5.1-6n, 7.0.1-5065, 7.0.1-5119, 7.1.2-7019, 7.1.3-7015, and 7.3.0-7012 are vulnerable, as well as hardware models NSa 2600, NSa 2700, NSa 4650, NSa 5700, TZ370, and TZ470. The campaign may trace back to earlier exploitation of CVE-2024-40766, impacting SonicOS 5, 6, and 7, with credentials stolen from vulnerable firewalls possibly carried forward to newer SonicOS versions. Arctic Wolf Labs observed intrusions affecting devices running SonicOS 7.3.0 and even more recent versions, such as 8.0.2. Arctic Wolf Labs recommends monitoring for VPN logins from untrusted hosting infrastructure, maintaining visibility into internal networks, and monitoring for anomalous SMB activity indicative of Impacket use.

Open in new tab

Data I/O Experiences Ransomware Attack and System Outages

Data I/O, a tech manufacturer, has reported a ransomware attack on August 16, 2025, which affected its shipping, manufacturing, and production systems. The company activated its incident response protocols, including taking systems offline and implementing mitigation measures. As of August 21, 2025, the full scope and impact of the attack remain unknown, and the company is still working to restore affected systems. The attack has not yet been determined to have a material impact on the company's business operations, but the costs associated with the incident are expected to be significant. The company is conducting a third-party investigation and will notify affected individuals once the scope and impact are fully understood.

Open in new tab