Mitsubishi Electric confirmed today that its computer network was breached by unnamed hackers in June last year and that the breach may have resulted in the leak of "personal information and corporate confidential information" to unauthorised entities.
While Mitsubishi Electric did not define the exact nature of data that was accessed by malicious actors who breached its systems last year, the Japanese electronics giant said that no technical information or information of the company's customers was accessed by third parties.
Mitsubishi Electric manufactures cutting-edge defence equipment such as torpedoes, missile launching platforms, fighter planes, guided weapon systems, laser radar surveillance systems, surface-to-ship missiles, anti-submarine rockets, submarines, and air-to-air missiles for Japanese and foreign defence forces.
As such, the leakage of technical data held by Mitsubishi could have resulted in a national security crisis as critical information related to defence systems could have reached the hands of Japan's competitors- particularly China.
"We have confirmed that our network may have been subject to unauthorized access by third parties and that personal information and corporate confidential information may have been leaked to the outside. After recognizing the suspicious behavior of the terminal on June 28 last year, we immediately took measures such as restricting external access.
"As a result of an internal survey, sensitive information on social infrastructure such as defense, we have confirmed that no technical information or important information related to business partners has been leaked. To date, no damage or impact related to this matter has been confirmed. We deeply apologize for causing such anxiety and inconvenience to those concerned and the customers involved," the company said.
Hackers who targeted Mitsubishi Electric were possibly members of a Chinese hacker group
According to Japanese media firm Nikkei, hackers who targeted Mitsubishi Electric's network were possibly members of a Chinese hacker group known as Tick and in order to remove the evidence of their intrusion, they deleted all logs that could have been analyzed by the company to verify the leak of confidential information.
Nikkei added that the hackers stole up to 200MB of documents, some of which contained information on Japanese government agencies such as the Ministry of Defense, the Nuclear Regulatory Commission, and the Agency for Natural Resources and Energy.
The stolen documents also contained information on domestic and overseas companies such as electric power and telecommunications, JR / private railways, and major automobile companies.
Commenting on the cyber attack targeting Mitsubishi's network, Jonathan Knudsen, senior security strategist at Synopsys, said considering that essentially every business is a software business in some way and is an attractive target for attackers, using a structured approach to minimizing risk means less danger for the organisation and its customers.
"Cybersecurity cannot be effectively managed with a one-time effort, but must be woven into the fabric of each organisation. A comprehensive security initiative includes three related efforts. First, organisations must control the supply chain of acquired software.
"Every piece of software presents some risk that must be evaluated and managed. Second, the security of software produced by the organisation must be managed using a secure development life cycle. Finally, an incident response plan ensures that the organisation can minimise damage when cyberattacks happen," he added.
In May last year, a month prior to the breach of Mitsubishi Electric's network, security firm Nozomi Networks Labs had discovered a security flaw in the company's MELSEC-Q Series Ethernet Module that allowed a "remote attacker to render the PLC’s state in fault mode, requiring a cold restart for recovering the system and/or doing privilege escalation or execute arbitrary code in the context of the affected system of the workstation engineering software."
The security firm recommended restricting access to all control system devices from the Internet, locating and isolating control system networks from the business network, and using secure VPNs to remote access control system networks. The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) also issued an advisory about the vulnerability.