Cybersecurity and the Mitsubishi Breach
Mitsubishi Electric is a global leader in electronics and electrical equipment manufacturing. With their expansive product line and capabilities, they are a giant in the industry. That being said, they still are targeted!
Breach
The breach occurred on June 28, 2019. This was not announced until January 2020. This may never have been announced publicly, except for two newspapers (Nikkei and Asahi Shimbun) publishing articles on the same. This was probably not the optimal strategy. This may have led to or added onto a mistrust. With a compromise of a business this size, the issue was bound to become known in public circles.
Bad Actor
The newspapers both named Tick as the malicious party behind the compromise. Tick is a Chinese-linked cyber-espionage group. While this may not be well-known in the enterprise community, this group is known in InfoSec.
Symptoms of the Issue
Everything appeared fine until that fateful day. The Mitsubishi Electric staff detected a suspicious file on one of their servers. Also, at this time there was unusual network behavior and irregular activity, which added to the suspicion. Once determined there was an issue, this was tracked back to a compromised user’s account. Through this avenue, the attack continued. They gained access to approximately 14 other company department networks, including sales and head administration networks. The attack ended up compromising tens of PCs and services in Japan and other locations. In a stroke of genius, the attackers also deleted access logs, in an attempt to cover their tracks.
Data
Once the abnormal behavior was noted, the external access was restricted immediately. While this action was heroic, there was data exfiltrated from the internal network. The estimate is 200 MB of data was stolen. There are a mixture of reports on what was exfiltrated. The data pool for the most part consists of mostly business documents relating to government agencies, and other business partners. This may have also included email exchanges with the Defense Ministry, Nuclear Registry Authority, and projects with private firms (e.g. utilities, railway operators, communications, and automakers). This also involved personal information and recruitment application information and new graduate recruitment applications for 1,987 persons. Lastly, there was a 2012 survey results regarding personnel treatment for 4,566 employees and 1,569 retirees in the data pool exfiltrated. While not in the several hundred thousand affected, this is still a rather large number of persons affected.
???
One question that comes to mind is why this took so long to report. The investigation itself was complex. The attackers thought through the attack and deleted activity logs. This coupled with the attack method would make the investigation an interesting activity. Simply investigating the compromise on its own footing takes a bit of time due to the many opportunities for attack. It’s not likely more substantive details will follow. This would have been another opportunity to learn from, so others would be able to build their defenses against like attacks.
Resources
Cimpanu, C. (2020, January 20). Mitsubishi electric discloses security breach, china is main suspect.
Retrieved from https://www.zdnet.com/article/mitsubishi-electric-discloses-security-breach-china-is-
main-suspect/
Gatlan, S. (2020, January 20). Mitsubishi electric warns of data leak after security breach. Retrieved from
https://www.bleepingcomputer.com/news/security/mitsubishi-electric-warns-of-data-leak-after-
security-breach/
Japan Times. (2020, January 20). Mitsubishi electric data likely compromised in massive cyberattack
blamed on Chinese group. Retrieved from
https://www.japantimes.co.jp/news/2020/01/20/business/corporate-business/mitsubishi-electric-
cyberattack-china/?mid=1#cid=9238821
National Cybersecurity. (2020, January 20). Mitsubishi electric discloses information leak. Retrieved from
https://nationalcybersecurity.com/infosec-mitsubishi-electric-discloses-information-leak/
Nikkei. (2020, January 20). Mitsubishi electric data may have been compromised in cyberattack.
Retrieved from https://asia.nikkei.com/Business/Companies/Mitsubishi-Electric-data-may-have-been-
compromised-in-cyberattack
Paganini, P. (2020, January 20). Mitsubishi electric discloses data breach, media blame china-linked APT.
Retrieved from https://securityaffairs.co/wordpress/96636/data-breach/mitsubishi-electric-data-
breach.html
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.