Mitsubishi Electric discloses data breach, possible data leak

Japanese multinational Mitsubishi Electric has admitted that it had suffered a data breach some six months ago, and that “personal information and corporate confidential information may have been leaked.”

The company, though, claims that “sensitive information on social infrastructure such as defense, electric power, and railways, highly confidential technical information, and important information concerning business partners have not been leaked.”

What was compromised in the Mitsubishi Electric data breach?

Mitsubishi Electric is a manufacturer of electronics and electrical equipment and its headquartered in Tokyo, Japan.

According to several reports from Japanese daily newspapers, the company discovered the data breach in late June, when they detected suspicious activities on a server at its Information Technology R&D Center in Kamakura, Kanagawa Prefecture, Japan.

Apparently, the attackers first breached the systems of an affiliated company in China and used them as a stepping stone for getting access to company systems located in key Mitsubishi Electric offices in Japan.

According to the Asahi Shimbun, the attackers infiltrated the company’s computer networks through hijacked accounts, which also allowed them to access computer terminals used by middle management executives and, consequently, all the classified information these executives had the clearance to access. They then proceeded to exfiltrate data in batches.

The newspaper’s sources familiar with the findings of the company’s internal investigation of the breach say that, ultimately, over 40 servers and more than 120 computer terminals at the company’s Tokyo headquarters and various domestic and overseas offices have been breached since July.

According to those same sources, the attacker managed to access and possibly exfiltrate:

• Company data (including that on joint projects, negotiations, incoming orders from partners, research documents, etc.)
• Data of more than 10 government organizations (including the Defense Ministry, the Nuclear Regulation Authority, and the Agency for Natural Resources and Energy)
• Data on many leading private-sector companies in the power, telecommunications, railway and auto industries.

Mitsubishi Electric also shared on Tuesday that personal information of more than 8,122 applicants, employees and retirees might have been leaked since the breach. This data includes names and addresses, previous employment history, birthdates, telephone numbers, etc. The company is apparently sending out notifications to the affected individuals, and has admitted that it reported the potential data leak to the government’s Personal Information Protection Commission only this month.

Who’s behind the breach?

The prime suspect for the breach is TICK (aka “BRONZE BUTLER” or “REDBALDKNIGHT”), a Chinese hacker group that has been operating for the last decade (at least) and is known for targeting and stealing sensitive and classified information from defense, aerospace, chemical, and satellite industries with head offices in Japan and subsidiaries in China.

Their usual MO is to compromise emails accounts of an organization (e.g., a research company, PR agency) and to use them to send spear-phishing emails laden with RAT malware to employees of the Japanese organizations’ Chinese subsidiaries.