Mitsubishi Heavy Network Most Likely Compromised by Spear-Phishing Attack

Security researchers suspect that Japanese defense contractor Mitsubishi Heavy Industries was hit by a spear-phishing attack and that the operation bears the marks of the recent Operation Aurora cyber-spying campaign.

Attackers most likely used spear-phishing techniques to compromise Japanese defense contractor Mitsubishi Heavy Industries last month, security researchers said. Spear phishing techniques are increasingly being used to steal sensitive information.

Mitsubishi Heavy Industries admitted Sept. 19 that 83 systems in over 10 locations had been infected with several types of malware, including data-stealing Trojans. Japanese media reported that another defense contractor based in Japan-IHI, which builds engine parts for fighter planes-has also seen a dramatic increase in the number of suspicious emails and malicious attachments hitting its servers.

There are many possible scenarios as to how Mitsubishi Heavy was infected. The possibilities include an infected computer connecting to the network, an employee's log-in credentials being leaked, not having enough security measures and employees having access to data they didn't need, according to Catalin Cosoi, head of the online threats lab at BitDefender. Employees giving away too much personal information about themselves online would have made them more vulnerable to phishing emails, said Cosoi.

The attack against Mitsubishi Heavy was different from other attacks seen in recent months, which generally involved SQL injection or distributed denial of service. Malware and targeted attacks generally require "higher effort" for the attackers, but a recent Cisco study found that they are also more lucrative.

The "best" comparison for the attack on Mitsubishi Heavy would "probably" be Operation Aurora, Cosoi said. Operation Aurora refers to a six-month-long cyber-attack, believed to have originated from China, that hit Google and 30 other United States-based companies in 2009.

Spear-phishing is the "leading point of entry" for cyber-adversaries, according to Anup Ghosh, founder and CEO of Invincea. Phishing is an "extremely low-risk, high reward method" to co-opt users and gain access on to the network, Ghosh told eWEEK.

"A simple click on a URL in an email or opening an attachment is all it takes to compromise the unwitting user's machine, and gain unfettered access to the network from there," Ghosh said.

Phishing dominated every other attack category and accounted for half of all reported incidents in 2010, according to United States CERT.

Attackers were allegedly using simplified Chinese characters to remotely control infected computers, according to Japan's Yomiuri Shinbun newspaper. The compromised machines were communicating with several servers outside of Japan, including at least 20 servers in China, Hong Kong, the United States and India, the paper reported.

Since the attack likely involved a person with deep knowledge of the language, the investigators were treating the incident as an international espionage case, according to Yomiuri. Predictably, fingers are pointing at China, but Cosoi believed it was "way too early" to accuse China.

"Criticism that China initiated a cyber-attack is not only groundless, it goes against development of international cooperation on cyber-security," Chinese Foreign Ministry spokesman Hong Lei said in a daily briefing Sept. 20.

State-sponsored hacking is a "highly effective and far less expensive way" for governments to empower their military rather than investing in research and development, according to Joseph Steinberg, CEO of Green Armor Solutions. "It is far cleaner to take out an enemy's defense capabilities through a virus, than with bombs, and the virus approach ensures plausible deniability that an air force cannot claim," Steinberg told eWEEK.

Japanese government officials were reportedly furious after learning of the attacks through the media, according to Reuters. The government requires all contractors to immediately notify authorities of any suspected breach of sensitive or classified information.

"It's up to the defense ministry to decide whether the information is important. That is not for Mitsubishi Heavy to decide. A report should have been made," a spokesman for the ministry told Reuters.

Mitsubishi Heavy was also criticized for how it handled the situation. "They've been dozing for the past month," Yoshiyasu Takefuji, a cyber-security expert at Tokyo's Keio University, told Reuters. While Mitsubishi Heavy said no classified information had been leaked, if the investigation finds otherwise, the company faces heavy fines.

A Japanese defense white paper released last month urged better protection against cyber-attacks in light of the recent attacks on Lockheed Martin and other U.S. defense contractors. The government needed to "strengthen its information security measures," Chief Cabinet Secretary Osamu Fujimura said.

"Cyber-security must be a public-sector priority," Karen Kelley, a U.S. embassy spokeswoman in Tokyo, told Reuters.