Mitsubishi Electric, a leading global company in the manufacture and sales of electrical and electronic products, disclosed a security breach that might have caused the leak of personal and confidential corporate information.
The breach was detected almost eight months ago, on June 28, 2019, with the delay being attributed to the increased complexity of the investigation caused by the attackers deleting activity logs.
“On June 28, last year, a suspicious behavior was detected and investigated on a terminal in our company, and as a result of unauthorized access by a third party, data was transmitted to the outside,” a detailed company statement published today says.
“This is an advanced method of monitoring and detection, and it took time to investigate because the log (operation record) for identifying the transmitted file was deleted by an attacker on some terminals.”
Mitsubishi Electric is still continuing internal investigations into unauthorized access to its network according to a Japanese security blogger.
Chinese-backed threat group might be behind the attack
The breach began with affiliates in China and then spread to the company’s internal network per an Asahi Shimbun report that prompted Mitsubishi Electric’s statement.
“The hijacked account was used to gain infiltration into the company’s internal network, and continued to gain unauthorized access to middle-managed PCs who had extensive access to sensitive information,” the report says.
“According to people involved, Chinese hackers Tick may have been involved,” Nikkei also found. “According to the company, at least tens of PCs and servers in Japan and overseas have been found to have been compromised.”
Tick (also tracked as Bronze Butler and REDBALDKNIGHT) is a cyber-espionage group known for primarily going after Japanese entities, with targets ranging from critical infrastructure and heavy industry organizations to international relations and manufacturing.
Their main goal is to steal intellectual property, confidential corporate info, and product details, after compromising enterprise servers via spearphishing and abusing various zero-day vulnerabilities.
The group is also known for usually deleting evidence from compromised devices to hinder investigations following their attacks.
Sensitive information potentially stolen
Mitsubishi Electric said that it wasn’t possible to know for sure if the information might have been exfiltrated by the attackers from some of the compromised terminals since the logs were deleted to erase traces.
The company provides the following list of potentially leaked info, with estimates on the “maximum number of possible leaks” (employees, applicants, and retired employees), with an estimated quantity of around 200 MB of documents:
• Personal information and recruitment applicant information (1,987)
• New graduate recruitment applicants who joined the company from October 2017 to April 2020, and experienced recruitment applicants from 2011 to 2016 and our employee information (4,566)
• 2012 Survey results regarding the personnel treatment system implemented for employees in the headquarters in Japan, and information on retired employees of our affiliated companies (1,569)
“Exchanges with government agencies such as the Ministry of Defense, the Nuclear Regulatory Commission, the Agency for Natural Resources and Energy, the Cabinet Office, and the Ministry of the Environment,” as well as “transaction-related conference materials such as joint development with private companies such as electric power, railways, and telecommunications, and product orders” might also have been leaked as reported by Kyodo News.
However, an in-house investigation confirmed “that sensitive information on social infrastructure such as defense, electric power, and railways, highly confidential technical information, and important information concerning business partners did not leak.”
“To date, no damage or impact related to this matter has been confirmed,” Mitsubishi Electric statement also adds.
Local media also says that Japanese authorities were also notified, with Chief Cabinet Secretary Yoshii Suga confirming after the Cabinet meeting on the morning of January 20 that he “was notified that it was confirmed that there was no leak of sensitive information such as defense equipment and electric power.”
Mitsubishi Electric will start delivering notifications and reports on the breach to customers who might have had their information leaked during the incident.
“We are informing the affected customers of the possible breach of trade secrets,” the electrical and electronic equipment manufacturing firm also adds.