Toyota Kojima Industries supply-chain cyberattack (2022)

On the morning of 1 March 2022, Toyota — the world's largest automaker — halted production at every one of its 14 Japanese plants, taking out roughly 13,000 vehicles of daily output, plus operations at affiliates Hino Motors and Daihatsu. The cause was not an attack on Toyota itself: it was a cyberattack on Kojima Industries, a single Tier-1 supplier that provides plastic parts and electronic components.

What happened

Kojima Industries detected an anomaly on one of its file servers on Saturday 26 February 2022. After rebooting, the company found the server infected with malware and a threatening message left behind by the attackers — the hallmark of a ransomware intrusion. Kojima isolated systems to investigate.

By Tuesday, the disruption to Kojima's ordering and dispatch systems was severe enough that it could not feed parts into Toyota's famously precise just-in-time assembly pipeline. Toyota took the only option available to a JIT manufacturer with a missing component: shut down the assembly lines.

No information was publicly available about the threat actor or motive. The attack came just after Japan joined Western sanctions against Russia over Ukraine, fuelling speculation about possible state-aligned origin, but no attribution was ever confirmed.

Impact

All 14 Toyota Japanese plants halted for a full day; affiliates Hino and Daihatsu also affected.
Roughly 13,000 vehicles of daily production lost.
Kojima Industries required one to two weeks to fully restore systems.
Triggered industry-wide reviews of supplier cybersecurity audit requirements in Japan.

Why it matters

Just-in-time production is built on the assumption that any supplier can deliver any part on schedule. Kojima Industries became the canonical example of what happens when that assumption fails: the entire downstream factory network depends on the cyber-resilience of every Tier-1 supplier, no matter how small the part. Toyota responded with a multi-year supplier cybersecurity programme that has since become a reference for the automotive industry.

Timeline

February 26, 2022

Kojima Industries detects an anomaly on one of its file servers; on reboot the server is confirmed virus-infected and a threatening message is found.

March 1, 2022

Toyota halts operations at all 14 of its Japanese plants — and at affiliate Hino Motors and Daihatsu plants — affecting roughly 13,000 vehicles of daily production.

March 2, 2022

Toyota restarts domestic production after a one-day full shutdown.

March 1, 2022

Toyota and Kojima Industries report it will take 'a week or two' to fully restore Kojima's systems.

Sources

cnn.comhttps://www.cnn.com/2022/03/01/business/toyota-japan-cyberattack-production-restarts-intl-hnk

npr.orghttps://www.npr.org/2022/02/28/1083550554/toyota-stops-production-in-japan-after-a-cyberattack-hits-one-of-its-suppliers

toyotatimes.jphttps://toyotatimes.jp/en/newscast/008.html

malwarebytes.comhttps://www.malwarebytes.com/blog/news/2022/03/toyotas-just-in-time-manufacturing-faced-with-disruptive-cyberattack

Related incidents

RansomwareContainedSeptember 29, 2025

Asahi Group Holdings Qilin ransomware (2025)

Qilin ransomware operators encrypted servers across Asahi's Japanese data centres, halting ordering, shipment, and production at 30 factories, leaking 27 GB of internal data, and exposing personal information of approximately 1.5 million customers, employees, and contacts.

Victim: Asahi Group Holdings
Loss: $31.4M
Records: 1.5M

RansomwareContainedAugust 1, 2022

Continental AG LockBit ransomware (Germany, 2022)

LockBit operators infiltrated parts of German auto-parts giant Continental AG's IT systems in August 2022. Containment was initially declared, but in November the group put 40 terabytes of stolen Continental data on its dark-web leak site, offered for sale or destruction for $50 million.

Victim: Continental AG

RansomwareContainedMay 13, 2026

Foxconn Nitrogen ransomware breach (2026)

The Nitrogen ransomware group claimed on its dark-web leak site that it had stolen over 11 million files from Foxconn's North American facilities, including confidential information belonging to customers Apple, Dell, Google, Intel, Nvidia, and Sony. Foxconn said affected factories were resuming normal production.

Victim: Foxconn (Hon Hai Precision Industry)

RansomwareOngoingApril 5, 2026

Aircos Pascual (Anjac): ongoing ransomware attack by the TheGentlemen group after a cyberattack

French cosmetics manufacturer Aircos Pascual, a subsidiary of the Anjac group, is targeted by a ransomware attack claimed by the group

Victim: Aircos Pascual (Anjac)