Mitsubishi Electric, a leading global company in the manufacture and sales of electrical and electronic products, disclosed a security breach that might have caused the leak of personal and confidential corporate information.

The breach was detected almost eight months ago, on June 28, 2019, with the delay being attributed to the increased complexity of the investigation caused by the attackers deleting activity logs.

“On June 28, last year, a suspicious behavior was detected and investigated on a terminal in our company, and as a result of unauthorized access by a third party, data was transmitted to the outside,” a detailed company statement published today says.

“This is an advanced method of monitoring and detection, and it took time to investigate because the log (operation record) for identifying the transmitted file was deleted by an attacker on some terminals.”

Mitsubishi Electric is still continuing internal investigations into unauthorized access to its network according to a Japanese security blogger.

Chinese-backed threat group might be behind the attack

The breach began with affiliates in China and then spread to the company’s internal network per an Asahi Shimbun report that prompted Mitsubishi Electric’s statement.

“The hijacked account was used to gain infiltration into the company’s internal network, and continued to gain unauthorized access to middle-managed PCs who had extensive access to sensitive information,” the report says.

“According to people involved, Chinese hackers Tick may have been involved,” Nikkei also found. “According to the company, at least tens of PCs and servers in Japan and overseas have been found to have been compromised.”

Tick (also tracked as Bronze Butler and REDBALDKNIGHT) is a cyber-espionage group known for primarily going after Japanese entities, with targets ranging from critical infrastructure and heavy industry organizations to international relations and manufacturing.

Their main goal is to steal intellectual property, confidential corporate info, and product details, after compromising enterprise servers via spearphishing and abusing various zero-day vulnerabilities.

The group is also known for usually deleting evidence from compromised devices to hinder investigations following their attacks.

Sensitive information potentially stolen

Mitsubishi Electric said that it wasn’t possible to know for sure if the information might have been exfiltrated by the attackers from some of the compromised terminals since the logs were deleted to erase traces.

The company provides the following list of potentially leaked info, with estimates on the “maximum number of possible leaks” (employees, applicants, and retired employees), with an estimated quantity of around 200 MB of documents:

“Exchanges with government agencies such as the Ministry of Defense, the Nuclear Regulatory Commission, the Agency for Natural Resources and Energy, the Cabinet Office, and the Ministry of the Environment,” as well as “transaction-related conference materials such as joint development with private companies such as electric power, railways, and telecommunications, and product orders” might also have been leaked as reported by Kyodo News.

However, an in-house investigation confirmed “that sensitive information on social infrastructure such as defense, electric power, and railways, highly confidential technical information, and important information concerning business partners did not leak.”

“To date, no damage or impact related to this matter has been confirmed,” Mitsubishi Electric statement also adds.

Local media also says that Japanese authorities were also notified, with Chief Cabinet Secretary Yoshii Suga confirming after the Cabinet meeting on the morning of January 20 that he “was notified that it was confirmed that there was no leak of sensitive information such as defense equipment and electric power.”

Mitsubishi Electric will start delivering notifications and reports on the breach to customers who might have had their information leaked during the incident.

“We are informing the affected customers of the possible breach of trade secrets,” the electrical and electronic equipment manufacturing firm also adds.

The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.