08:47 AM

Hackers Likely Have Japanese Warplane, Nuclear Data

Attackers likely accessed sensitive data relating to military aircraft, missiles, and nuclear power plant designs and safety systems, said Japanese defense officials.

10 Companies Driving Mobile Security
10 Companies Driving Mobile Security
(click image for larger view and for slideshow)
Hackers targeting Japan's defense industry likely obtained sensitive information relating to military warplanes, missiles, as well as design and safety information for nuclear power plants.

On Monday, sources close to the Japanese defense ministry said that while data relating to confidential national security matters didn't appear to have been breached, sensitive information had been stolen, reported the Japan Times.

Notably, Mitsubishi Heavy--Japan's largest defense contractor, perhaps best known in the United States for manufacturing the surface-to-air Patriot missile--found that multiple PCs were infected with a Trojan application designed to send data to an outside server. In addition, "an internal investigation found signs that the information had been transmitted outside the company's computer network, with the strong possibility that an outsider was involved," reported Asahi Shimbun.

[Is Internet security a myth? Learn why the Top FBI Cyber Cop Recommends New Secure Internet.]

Earlier this month, both Mitsubishi Heavy and Kawasaki Heavy Industries suffered attacks after hackers stole email addresses for senior executives at defense contractors, reported the Daily Yomiuri. The email addresses were stolen earlier this year from the Society of Japanese Aerospace Companies (SJAC), an industry association that counts numerous Japanese aeronautics, space, and defense-related import businesses as members and partners.

The recent attack against Mitsubishi Heavy and Kawasaki Heavy Industries followed attacks against numerous Japanese defense contractors over the summer. They came to light when Mitsubishi Heavy filed a complaint to Tokyo police in September, saying that its website had been breached by an attack that targeted 45 company servers, resulting in 38 computers in 11 locations being infected with more than 50 different types of viruses.

Those viruses apparently enabled the attackers to steal data from Mitsubishi Heavy relating to warplanes, nuclear plants, as well as Japan's Type 80 ASM-1 missile, which can be used against ships. Notably, the locations infected by the viruses included the Kobe and Nagasaki shipyards, which build submarines and destroyers, as well a facility in Nagoya that's building a guided missile system, reported Asahi Shimbun.

Meanwhile, in the most recent attack--involving SJAC--the attacker used the industry association as a stepping stone to the defense contractors. "The hacker targeted the industry association, which has inadequate security. We assume the hacker attempted to use it to spread computer viruses throughout the nation's defense industry," a senior Japanese police official told the Daily Yomiuri. Similar attacks were launched against Kawasaki Heavy Industries, and the attacker appeared to have stolen at least some of that company's emails.

But police said that before breaching SJAC, the attacker first exploited a PC at an international telephone service company located in Tokyo. The attacker used that PC to send an email--presumably with a malicious attachment--to someone at SJAC. The malicious attachment was opened, and a PC at SJAC compromised. From there, the attacker used the PC to access an internal server containing the names and email addresses for senior executives at Japanese defense contractors.

Next, the attacker sent one or more emails from the exploited PC at SJAC, supposedly from an SJAC executive, to defense contractors. In the case of Kawasaki Heavy Industries, the email subject line read, "Prior distribution of documents," and the message included a malicious file attachment titled "Comments on lump sum procurement." Interestingly, the email's subject line and contents were virtually identical to a message that the executive had sent, just 10 hours prior.

Japan's defense contractors aren't the only institutions being targeted by attackers. On Tuesday, Asahi Shimbun reported that a Trojan application sent as an email attachment to Japanese legislators had enabled attackers to spy on lawmakers for at least a month. Once the Trojan application had infected a targeted PC, it downloaded malware from a server in China, enabling the attackers to steal usernames and passwords.

"Inevitably there will be suspicions that the attack was sponsored by the Chinese, because of the involvement of a server based in China. But that fact alone is not a convincing reason to blame China for the attack," said Graham Cluley, senior technology consultant at Sophos, in a blog post. "For one thing, it's perfectly possible that the attack was the work of a lone Chinese hacker--without the backing of his government or military. And even more relevantly, computer hackers can plant their malware on servers all around the world--so it's just as possible that a hacker in, say, New Zealand placed his malware on a compromised Chinese server."

Indeed, one advanced persistent threat trend is that, to reach a target, hackers increasingly exploit a number of intermediaries--some directly related, some not. That helps disguise their ultimate attack, which appears to come from a trusted source. Furthermore, all of those layers help to obscure the identity, location, and motive of the attacker.

"They're so far removed within their shell companies and hidden away that technically the attack might be coming from an attacker or a network right next to you, but really the attackers might be 10 countries away with different hops through different organizations," said John Harrison, group manager with Symantec Security Response, in a recent press briefing that detailed hacker strategies. As a result, spotting and stopping such attacks can be quite difficult.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.