On Monday, sources close to the Japanese defense ministry said that while data relating to confidential national security matters didn't appear to have been breached, sensitive information had been stolen, reported the Japan Times.
Notably, Mitsubishi Heavy--Japan's largest defense contractor, perhaps best known in the United States for manufacturing the surface-to-air Patriot missile--found that multiple PCs were infected with a Trojan application designed to send data to an outside server. In addition, "an internal investigation found signs that the information had been transmitted outside the company's computer network, with the strong possibility that an outsider was involved," reported Asahi Shimbun.
[Is Internet security a myth? Learn why the Top FBI Cyber Cop Recommends New Secure Internet.]
Earlier this month, both Mitsubishi Heavy and Kawasaki Heavy Industries suffered attacks after hackers stole email addresses for senior executives at defense contractors, reported the Daily Yomiuri. The email addresses were stolen earlier this year from the Society of Japanese Aerospace Companies (SJAC), an industry association that counts numerous Japanese aeronautics, space, and defense-related import businesses as members and partners.
The recent attack against Mitsubishi Heavy and Kawasaki Heavy Industries followed attacks against numerous Japanese defense contractors over the summer. They came to light when Mitsubishi Heavy filed a complaint to Tokyo police in September, saying that its website had been breached by an attack that targeted 45 company servers, resulting in 38 computers in 11 locations being infected with more than 50 different types of viruses.
Those viruses apparently enabled the attackers to steal data from Mitsubishi Heavy relating to warplanes, nuclear plants, as well as Japan's Type 80 ASM-1 missile, which can be used against ships. Notably, the locations infected by the viruses included the Kobe and Nagasaki shipyards, which build submarines and destroyers, as well a facility in Nagoya that's building a guided missile system, reported Asahi Shimbun.
Meanwhile, in the most recent attack--involving SJAC--the attacker used the industry association as a stepping stone to the defense contractors. "The hacker targeted the industry association, which has inadequate security. We assume the hacker attempted to use it to spread computer viruses throughout the nation's defense industry," a senior Japanese police official told the Daily Yomiuri. Similar attacks were launched against Kawasaki Heavy Industries, and the attacker appeared to have stolen at least some of that company's emails.
But police said that before breaching SJAC, the attacker first exploited a PC at an international telephone service company located in Tokyo. The attacker used that PC to send an email--presumably with a malicious attachment--to someone at SJAC. The malicious attachment was opened, and a PC at SJAC compromised. From there, the attacker used the PC to access an internal server containing the names and email addresses for senior executives at Japanese defense contractors.
Next, the attacker sent one or more emails from the exploited PC at SJAC, supposedly from an SJAC executive, to defense contractors. In the case of Kawasaki Heavy Industries, the email subject line read, "Prior distribution of documents," and the message included a malicious file attachment titled "Comments on lump sum procurement." Interestingly, the email's subject line and contents were virtually identical to a message that the executive had sent, just 10 hours prior.
Japan's defense contractors aren't the only institutions being targeted by attackers. On Tuesday, Asahi Shimbun reported that a Trojan application sent as an email attachment to Japanese legislators had enabled attackers to spy on lawmakers for at least a month. Once the Trojan application had infected a targeted PC, it downloaded malware from a server in China, enabling the attackers to steal usernames and passwords.
"Inevitably there will be suspicions that the attack was sponsored by the Chinese, because of the involvement of a server based in China. But that fact alone is not a convincing reason to blame China for the attack," said Graham Cluley, senior technology consultant at Sophos, in a blog post. "For one thing, it's perfectly possible that the attack was the work of a lone Chinese hacker--without the backing of his government or military. And even more relevantly, computer hackers can plant their malware on servers all around the world--so it's just as possible that a hacker in, say, New Zealand placed his malware on a compromised Chinese server."
Indeed, one advanced persistent threat trend is that, to reach a target, hackers increasingly exploit a number of intermediaries--some directly related, some not. That helps disguise their ultimate attack, which appears to come from a trusted source. Furthermore, all of those layers help to obscure the identity, location, and motive of the attacker.
"They're so far removed within their shell companies and hidden away that technically the attack might be coming from an attacker or a network right next to you, but really the attackers might be 10 countries away with different hops through different organizations," said John Harrison, group manager with Symantec Security Response, in a recent press briefing that detailed hacker strategies. As a result, spotting and stopping such attacks can be quite difficult.