Attacks/Breaches
10/25/2011
08:47 AM
50%
50%

Hackers Likely Have Japanese Warplane, Nuclear Data

Attackers likely accessed sensitive data relating to military aircraft, missiles, and nuclear power plant designs and safety systems, said Japanese defense officials.

10 Companies Driving Mobile Security
10 Companies Driving Mobile Security
(click image for larger view and for slideshow)
Hackers targeting Japan's defense industry likely obtained sensitive information relating to military warplanes, missiles, as well as design and safety information for nuclear power plants.

On Monday, sources close to the Japanese defense ministry said that while data relating to confidential national security matters didn't appear to have been breached, sensitive information had been stolen, reported the Japan Times.

Notably, Mitsubishi Heavy--Japan's largest defense contractor, perhaps best known in the United States for manufacturing the surface-to-air Patriot missile--found that multiple PCs were infected with a Trojan application designed to send data to an outside server. In addition, "an internal investigation found signs that the information had been transmitted outside the company's computer network, with the strong possibility that an outsider was involved," reported Asahi Shimbun.

[Is Internet security a myth? Learn why the Top FBI Cyber Cop Recommends New Secure Internet.]

Earlier this month, both Mitsubishi Heavy and Kawasaki Heavy Industries suffered attacks after hackers stole email addresses for senior executives at defense contractors, reported the Daily Yomiuri. The email addresses were stolen earlier this year from the Society of Japanese Aerospace Companies (SJAC), an industry association that counts numerous Japanese aeronautics, space, and defense-related import businesses as members and partners.

The recent attack against Mitsubishi Heavy and Kawasaki Heavy Industries followed attacks against numerous Japanese defense contractors over the summer. They came to light when Mitsubishi Heavy filed a complaint to Tokyo police in September, saying that its website had been breached by an attack that targeted 45 company servers, resulting in 38 computers in 11 locations being infected with more than 50 different types of viruses.

Those viruses apparently enabled the attackers to steal data from Mitsubishi Heavy relating to warplanes, nuclear plants, as well as Japan's Type 80 ASM-1 missile, which can be used against ships. Notably, the locations infected by the viruses included the Kobe and Nagasaki shipyards, which build submarines and destroyers, as well a facility in Nagoya that's building a guided missile system, reported Asahi Shimbun.

Meanwhile, in the most recent attack--involving SJAC--the attacker used the industry association as a stepping stone to the defense contractors. "The hacker targeted the industry association, which has inadequate security. We assume the hacker attempted to use it to spread computer viruses throughout the nation's defense industry," a senior Japanese police official told the Daily Yomiuri. Similar attacks were launched against Kawasaki Heavy Industries, and the attacker appeared to have stolen at least some of that company's emails.

But police said that before breaching SJAC, the attacker first exploited a PC at an international telephone service company located in Tokyo. The attacker used that PC to send an email--presumably with a malicious attachment--to someone at SJAC. The malicious attachment was opened, and a PC at SJAC compromised. From there, the attacker used the PC to access an internal server containing the names and email addresses for senior executives at Japanese defense contractors.

Next, the attacker sent one or more emails from the exploited PC at SJAC, supposedly from an SJAC executive, to defense contractors. In the case of Kawasaki Heavy Industries, the email subject line read, "Prior distribution of documents," and the message included a malicious file attachment titled "Comments on lump sum procurement." Interestingly, the email's subject line and contents were virtually identical to a message that the executive had sent, just 10 hours prior.

Japan's defense contractors aren't the only institutions being targeted by attackers. On Tuesday, Asahi Shimbun reported that a Trojan application sent as an email attachment to Japanese legislators had enabled attackers to spy on lawmakers for at least a month. Once the Trojan application had infected a targeted PC, it downloaded malware from a server in China, enabling the attackers to steal usernames and passwords.

"Inevitably there will be suspicions that the attack was sponsored by the Chinese, because of the involvement of a server based in China. But that fact alone is not a convincing reason to blame China for the attack," said Graham Cluley, senior technology consultant at Sophos, in a blog post. "For one thing, it's perfectly possible that the attack was the work of a lone Chinese hacker--without the backing of his government or military. And even more relevantly, computer hackers can plant their malware on servers all around the world--so it's just as possible that a hacker in, say, New Zealand placed his malware on a compromised Chinese server."

Indeed, one advanced persistent threat trend is that, to reach a target, hackers increasingly exploit a number of intermediaries--some directly related, some not. That helps disguise their ultimate attack, which appears to come from a trusted source. Furthermore, all of those layers help to obscure the identity, location, and motive of the attacker.

"They're so far removed within their shell companies and hidden away that technically the attack might be coming from an attacker or a network right next to you, but really the attackers might be 10 countries away with different hops through different organizations," said John Harrison, group manager with Symantec Security Response, in a recent press briefing that detailed hacker strategies. As a result, spotting and stopping such attacks can be quite difficult.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7896
Published: 2015-03-03
Multiple cross-site scripting (XSS) vulnerabilities in HP XP P9000 Command View Advanced Edition Software Online Help, as used in HP Device Manager 6.x through 8.x before 8.1.2-00, HP XP P9000 Tiered Storage Manager 6.x through 8.x before 8.1.2-00, HP XP P9000 Replication Manager 6.x and 7.x before ...

CVE-2014-9283
Published: 2015-03-03
The BestWebSoft Captcha plugin before 4.0.7 for WordPress allows remote attackers to bypass the CAPTCHA protection mechanism and obtain administrative access via unspecified vectors.

CVE-2014-9683
Published: 2015-03-03
Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename.

CVE-2015-0656
Published: 2015-03-03
Cross-site scripting (XSS) vulnerability in the login page in Cisco Network Analysis Module (NAM) allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Bug ID CSCum81269.

CVE-2015-0890
Published: 2015-03-03
The BestWebSoft Google Captcha (aka reCAPTCHA) plugin before 1.13 for WordPress allows remote attackers to bypass the CAPTCHA protection mechanism and obtain administrative access via unspecified vectors.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.