Security researchers suspect that Japanese defense contractor Mitsubishi Heavy Industries was hit by a spear-phishing attack and that the operation bears the marks of the recent Operation Aurora cyber-spying campaign.
Attackers most likely used
spear-phishing techniques to compromise Japanese defense contractor Mitsubishi
Heavy Industries last month, security researchers said. Spear phishing
techniques are increasingly being used to
steal
sensitive information.
Mitsubishi
Heavy Industries admitted Sept. 19 that 83 systems in over 10 locations had
been infected with several types of malware, including data-stealing Trojans.
Japanese media reported that another defense contractor based in Japan-IHI, which builds engine
parts for fighter planes-has also seen a dramatic increase in the number of
suspicious emails and malicious attachments hitting its servers.
There are many possible
scenarios as to how Mitsubishi Heavy was infected. The possibilities include an
infected computer connecting to the network, an employee's log-in credentials
being leaked, not having enough security measures and employees having access
to data they didn't need, according to Catalin Cosoi, head of the online
threats lab at BitDefender. Employees giving away too much personal information
about themselves online would have made them more vulnerable to phishing emails,
said Cosoi.
The attack against
Mitsubishi Heavy was different from other attacks seen in recent months, which
generally involved SQL injection or distributed denial of service. Malware and
targeted attacks generally require "higher effort" for the attackers,
but a recent
Cisco
study found that they are also more lucrative.
The "best"
comparison for the attack on Mitsubishi Heavy would "probably" be
Operation Aurora, Cosoi said. Operation Aurora refers to a six-month-long
cyber-attack, believed to have originated from China, that hit Google and 30
other United States-based companies in 2009.
Spear-phishing
is the "leading point of entry" for cyber-adversaries, according to
Anup Ghosh, founder and CEO of Invincea. Phishing is an "extremely
low-risk, high reward method" to co-opt users and gain access on to the
network, Ghosh told
eWEEK.
"A simple click on a
URL in an email or opening an attachment is all it takes to compromise the
unwitting user's machine, and gain unfettered access to the network from
there," Ghosh said.
Phishing dominated every
other attack category and accounted for half of all reported incidents in 2010,
according to United States CERT.
Attackers were allegedly
using simplified Chinese characters to remotely control infected computers,
according to Japan's
Yomiuri Shinbun
newspaper. The compromised machines were communicating with several servers
outside of Japan, including at least 20 servers in China, Hong Kong, the United
States and India, the paper reported.
Since the attack likely
involved a person with deep knowledge of the language, the investigators were
treating the incident as an international espionage case, according to Yomiuri.
Predictably, fingers are pointing at China, but Cosoi believed it was "way
too early" to accuse China.
"Criticism that China
initiated a cyber-attack is not only groundless, it goes against development of
international cooperation on cyber-security," Chinese Foreign Ministry
spokesman Hong Lei said in a daily briefing Sept. 20.
State-sponsored hacking is a
"highly effective and far less expensive way" for governments to empower
their military rather than investing in research and development, according to
Joseph Steinberg, CEO of Green Armor Solutions. "It is far cleaner to take
out an enemy's defense capabilities through a virus, than with bombs, and the
virus approach ensures plausible deniability that an air force cannot
claim," Steinberg told
eWEEK.
Japanese government
officials were reportedly furious after learning of the attacks through the
media, according to Reuters. The government requires all contractors to
immediately notify authorities of any suspected breach of sensitive or
classified information.
"It's up to the defense
ministry to decide whether the information is important. That is not for
Mitsubishi Heavy to decide. A report should have been made," a spokesman
for the ministry told Reuters.
Mitsubishi Heavy was also
criticized for how it handled the situation. "They've been dozing for the
past month," Yoshiyasu Takefuji, a cyber-security expert at Tokyo's Keio
University, told Reuters. While Mitsubishi Heavy said no classified
information had been leaked, if the investigation finds otherwise, the company
faces heavy fines.
A Japanese defense white
paper released last month urged better protection against cyber-attacks in
light of the recent attacks on Lockheed Martin and other U.S. defense
contractors. The government needed to "strengthen its information security
measures," Chief Cabinet Secretary Osamu Fujimura said.
"Cyber-security must be
a public-sector priority," Karen Kelley, a U.S. embassy
spokeswoman in Tokyo, told Reuters.
Email
Print
