Mitsubishi Electric is a global leader in electronics and
electrical equipment manufacturing. With their expansive product line and
capabilities, they are a giant in the industry. That being said, they still are
targeted!
Breach
The breach occurred on June 28, 2019. This was not announced
until January 2020. This may never have been announced publicly, except for two
newspapers (Nikkei and Asahi Shimbun) publishing articles on the same. This was
probably not the optimal strategy. This may have led to or added onto a
mistrust. With a compromise of business this size, the issue was bound to become
known in public circles.
Bad Actor
The newspapers both named Tick as the malicious party behind
the compromise. Tick is a Chinese-linked cyber-espionage group. While this may
not be well-known in the enterprise community, this group is known in InfoSec.
Symptoms of the
Issue
Everything appeared fine until that fateful day. The
Mitsubishi Electric staff detected a suspicious file on one of their servers.
Also, at this time there was unusual network behavior and irregular activity,
which added to the suspicion. Once determined there was an issue, this was
traced back to a compromised user’s account. Through this avenue, the attack
continued. They gained access to approximately 14 other company department
networks, including sales and head administration networks. The attack ended up
compromising tens of PCs and services in Japan and other locations. In a stroke
of genius, the attackers also deleted access logs, in an attempt to cover their
tracks.
Data
Once the abnormal behavior was noted, external access
was restricted immediately. While this action was heroic, there was data
exfiltrated from the internal network. The estimate is 200 MB of data was
stolen. There is a mixture of reports on what was exfiltrated. The data pool, for the most part, consists of mostly business documents relating to government
agencies, and other business partners. This may have also included email
exchanges with the Defense Ministry, Nuclear Registry Authority, and projects
with private firms (e.g. utilities, railway operators, communications, and
automakers). This also involved personal information and recruitment
application information and new graduate recruitment applications for 1,987
persons. Lastly, there were 2012 survey results regarding personnel treatment
for 4,566 employees and 1,569 retirees in the data pool exfiltrated. While not
in the several hundred thousand affected, this is still a rather large number
of persons affected.
???
One question that comes to mind is why this took so long to
report. The investigation itself was complex. The attackers thought through the
attack and deleted activity logs. This coupled with the attack method would
make the investigation an interesting activity. Simply investigating the
compromise on its own footing takes a bit of time due to the many opportunities
for attack.
It’s not likely more substantive details will follow. This
would have been another opportunity to learn from, so others would be able to
build their defenses against like attacks.
Resources
Cimpanu, C. (2020, January 20). Mitsubishi electric
discloses security breach, china is main suspect. Retrieved from https://www.zdnet.com/article/mitsubishi-electric-discloses-security-breach-china-is-main-suspect/
Gatlan, S. (2020, January 20). Mitsubishi electric warns of
data leak after security breach. Retrieved from https://www.bleepingcomputer.com/news/security/mitsubishi-electric-warns-of-data-leak-after-security-breach/
Japan Times. (2020, January 20). Mitsubishi electric data
likely compromised in massive cyberattack blamed on Chinese group. Retrieved
from https://www.japantimes.co.jp/news/2020/01/20/business/corporate-business/mitsubishi-electric-cyberattack-china/?mid=1#cid=9238821
National Cybersecurity. (2020, January 20). Mitsubishi
electric discloses information leak. Retrieved from https://nationalcybersecurity.com/infosec-mitsubishi-electric-discloses-information-leak/
Nikkei. (2020, January 20). Mitsubishi electric data may
have been compromised in cyberattack. Retrieved from https://asia.nikkei.com/Business/Companies/Mitsubishi-Electric-data-may-have-been-compromised-in-cyberattack
Paganini, P. (2020, January 20). Mitsubishi electric
discloses data breach, media blame china-linked APT. Retrieved from https://securityaffairs.co/wordpress/96636/data-breach/mitsubishi-electric-data-breach.html
No comments:
Post a Comment