On January 20, Japanese electronics manufacturer Mitsubishi Electric disclosed the occurrence of a data breach that may have compromised information on government agencies and business partners.
While the firm confirms that sensitive information on defense, electricity, or other infrastructure operations have not been breached, a total of 120 workstations and 40 servers were affected across all units of the company while personal data on over 8,000 people, including employees, retirees, and job-seekers, may have been endangered. The hacking tools in question were discovered in a company lab based in Japan on June 28, 2019; unauthorized access occurred at the company’s China affiliates before spreading to Japan.
APT group believed to be responsible
The suspected perpetrator of the hack is reportedly an Advanced Persistent Threat (APT) group, or a concerted and multifaceted professional hacking organization, called Tick, also known as Bronze Butler or RedBaldKnight. The APT group is believed to be based in China due to the use of Chinese developer constructed tools, documented links with the Network Crack Program Hacker (NCPH) group as well as the start of unauthorized access in the company’s China affiliates.
It is unlikely that the breach will have any operational impact, and information security analysis suggests that the predominant focus of the group is the theft of intellectual property and sensitive communications. A notable impediment to the resolution of this incident is the fact that the APT deleted access logs upon completion of the data theft, thus complicating further investigation, a task already made difficult by the group’s frequent changing of communication IP addresses.
A signature of the group is the exploitation of a zero-day flaw via spear phishing and strategic web compromises in yet-to-be-identified software in Northeast Asia, such as South Korean defense firms and Japanese heavy industry, as well as miscellaneous targets in Russia, China, and Singapore. The group’s use of phishing, disguised downloaders, trojans, and command and control servers make it a very conventional threat in terms of hacking playbook.
Mitsubishi Electric has already reinforced its information security and monitoring measures. The company was the third-largest contractor for major equipment at the Japanese Defense Ministry in 2018 and provides cyber security services to public entities as well as private companies.
Cyber security threat looms in Japan
While Japan is advanced in technological development, the country still lags behind others in addressing cyber-attacks. In 2019, Fast Retailing, the parent company of popular Japanese apparel brands such as UNIQLO and GU Japan, suffered from credential stuffing attack that affected more than 460,000 customers when the unknown hackers allegedly accessed its customers’ accounts from April 23, 2019 to May 10, 2019. Customer information including name, address, phone number, email addresses, gender, date of birth, purchase history, clothing measurements, and credit card information were compromised when an authorized login by a third party was confirmed on May 10, 2019.
Amidst this, the Japanese government has stepped up its measures against cyber security vulnerabilities prior to the upcoming 2020 Summer Olympic in Tokyo. The National Institute of Information and Communications Technology reportedly checked about 200 million internet-connected devices for potential cyber security vulnerabilities in 2019. However, the recent case of Mitsubishi Electric highlights a wakeup call for other Japanese manufacturing-based firms to understand the growing threat of ransomware and spear phishing attacks, and its implications on supply chains as the threat appears to have spread from consumer companies to manufacturers.
Japan’s National Centre of Incident Readiness and Strategy for Cyber security detected 212.1 billion cases of suspicious activity attributed to Internet of Things (IoT) devices in 2018, a four-fold increase from 54.5 billion in 2015. Multinational conglomerate like Toshiba also observed an average of 2.5 million attempted cyber-attacks on a daily basis across its group of companies.
Similarly, Mitsubishi Heavy Industries was hacked in 2011, which led to a virus proliferation across the company’s 11 locations, including the Kobe and Nagasaki shipyards. Manufactured products, such as the MELSEC-Q Series Ethernet Module, frequently employed alongside programmable logic controllers, were found to have vulnerabilities when connected to the internet. The controllers themselves were also found to have vulnerabilities (CVE-2019-10977), as well as the company’s FR Configurator2 inverter engineering software.
Japan is yet to experience a large scale cyber-attack causing disruption to services and operations. While information technology firms are likely to be the targets of hackers, a variety of Japanese organizations in the fields of electric utility, oil and natural gas, transportation, and construction are also vulnerable to such threats. The risk of cyber-attacks on manufacturers is amplified by the interconnectedness of businesses and IT networks throughout Northeast Asia. As a result, the data breach-by-APT threat is unlikely to subside in the foreseeable future.
An important way to mitigate the impact of such incidents is to understand how cybercrime groups work and how to stymie their spread at each step of the process. Given the groups’ methods, measures such as minimizing access privilege, segmenting networks, and adding signatures of the group to extant IT security practices and outlining information security procedures can help protect one’s systems. Furthermore, the group is known to employ legitimate sites as hosts, so examination of one’s personal and environmental cyber risk can assist in the mitigation of future threats.
Beyond IT preparedness, managing the security of a network as wide – from Japan to China – and as connected – across both the public and private sectors – as that of Mitsubishi Electric necessitates visibility and communication in order to cascade warnings and mitigate threats throughout one’s supply chain. While data breaches are often quick and come to public knowledge well after the fact, maintaining this level of visibility and communication from every indicator of risk from a vulnerability discovery to a phishing attempt can help reduce exposure across the supply chain.