Defence Firm Probably Hit By Spear-Phishing Attack

Researchers also suspect Japanese Mitsubishi Heavy hack was similar to Operation Aurora cyber-attacks

Spear-phishing techniques were most likely to have been used by the attacker that compromised Japanese defence contractor Mitsubishi Heavy Industries last month, security researchers said. Spear phishing techniques are increasingly being used to steal sensitive information.

Mitsubishi Heavy Industries has admitted that 83 systems in over 10 locations had been infected with several types of malware, including data-stealing Trojans. Japanese media reported that another defence contractor based in Japan – IHI, which builds engine parts for fighter planes – has also seen a dramatic increase in the number of suspicious emails and malicious attachments hitting its servers.

Not A SQL Or A DDoS

There are many possible scenarios to explain how Mitsubishi Heavy was infected. The possibilities include an infected computer connecting to the network, an employee’s log-in credentials being leaked, not having enough security measures, and employees having access to data they didn’t need, according to Catalin Cosoi, head of the online threats lab at BitDefender. Employees giving away too much personal information about themselves online would have made them more vulnerable to phishing emails, said Cosoi.

The attack against Mitsubishi Heavy was different from other attacks seen in recent months, which generally involved SQL injection or distributed denial of service. Malware and targeted attacks generally require “higher effort” for the attackers, but a recent Cisco study found that they are also more lucrative.

The “best” comparison for the attack on Mitsubishi Heavy would “probably” be Operation Aurora, Cosoi said. Operation Aurora refers to a six-month-long cyber-attack, believed to have originated from China, that hit Google and 30 other United States-based companies in 2009.

Spear-phishing is the “leading point of entry” for cyber-adversaries, according to Anup Ghosh, founder and CEO of Invincea. Phishing is an “extremely low-risk, high reward method” to co-opt users and gain access on to the network, he told eWEEK.

“A simple click on a URL in an email or opening an attachment is all it takes to compromise the unwitting user’s machine, and gain unfettered access to the network from there,” Ghosh said.

Phishing dominated every other attack category and accounted for half of all reported incidents in 2010, according to CERT, Carnegie Mellon University’s Computer Emergency Response Team.

Were Chinese Characters Involved?

Attackers were allegedly using simplified Chinese characters to remotely control infected computers, according to Japan’s Yomiuri Shinbun newspaper. The compromised machines were communicating with several servers outside of Japan, including at least 20 servers in China, Hong Kong, the United States and India, the paper reported.

Since the attack likely involved a person with deep knowledge of the language, the investigators were treating the incident as an international espionage case, according to Yomiuri. Predictably, fingers are pointing at China but Cosoi believed it was “way too early” to accuse China.

“Criticism that China initiated a cyber-attack is not only groundless, it goes against development of international co-operation on cyber-security,” Chinese Foreign Ministry spokesman Hong Lei said in a daily briefing.

Subtle Government Money-Saver

State-sponsored hacking is a “highly effective and far less expensive way” for governments to empower their military rather than investing in research and development, according to Joseph Steinberg, CEO of Green Armor Solutions. “It is far cleaner to take out an enemy’s defence capabilities through a virus, than with bombs, and the virus approach ensures plausible deniability that an air force cannot claim,” Steinberg told eWEEK.

Japanese government officials were reportedly furious after learning of the attacks through the media, according to Reuters. The government requires all contractors to immediately notify authorities of any suspected breach of sensitive or classified information.

“It’s up to the Defence Ministry to decide whether the information is important. That is not for Mitsubishi Heavy to decide. A report should have been made,” a spokesman for the ministry told Reuters.

Mitsubishi Heavy was also criticised for how it handled the situation. “They’ve been dozing for the past month,” Yoshiyasu Takefuji, a cyber-security expert at Tokyo’s Keio University, told Reuters. While Mitsubishi Heavy said no classified information had been leaked, if the investigation finds otherwise, the company faces heavy fines.

A Japanese defence white paper released last month urged better protection against cyber-attacks in light of the recent attacks on Lockheed Martin and other US defence contractors. The government needed to “strengthen its information security measures,” Chief Cabinet Secretary Osamu Fujimura said.

“Cyber-security must be a public-sector priority,” Karen Kelley, a US Embassy spokeswoman in Tokyo, told Reuters.