Mitsubishi Electric Confirms Major Data Breach - Expert Commentary

Mitsubishi Electric released a statement today confirming that the company was hit by a data breach dating back to late June last year. It’s speculated that the cyberattack is linked to a Chinese cyber-espionage group, Tick (or Bronze Butler), that is well-known for targeting Japan over the past few years. The unauthorized access was tracked to a compromised employee account. Hackers were also able swipe 200 MB of files by accessing Mitsubishi Electric’s internal systems and networks.

Mitsubishi Electric discloses security breach

* Main suspect: China's Tick (Bronze Butler) APT
* Breach date: June 28, 2019
* Point of origin: employee account at Chinese affiliate
* Intruder stole 200MB from "tens of PCs" and deleted access logshttps://t.co/BQUoaK5aNL pic.twitter.com/2fKf79ubew

— Catalin Cimpanu (@campuscodi) January 20, 2020

Experts Comments

Dot Your Expert Comments

Vinay Sridhara

January 21, 2020

CTO

Balbix

A compromised employee account would not show up on traditional vulnerability assessments.

The attack on Mitsubishi Electric highlights the all too sobering reality that security is only as strong as the weakest link, with connected affiliates and third parties in the supply chain constituting links as well. In this case, it appears that a China-based Mitsubishi affiliate was infiltrated via a compromised employee account. As with many other attacks, that foothold was used to move laterally across the network, ultimately giving the attackers access to 14 business units. Unfortunately, vulnerability scanning typically revolves around unpatched software on managed assets, creating a risk blind spot for most organizations. A compromised employee account would not show up on traditional vulnerability assessments. It is critical that two-factor authentication via a trusted second factor is deployed to reduce risk of breaches that occur from compromised credentials within an organization. It is important for enterprises to understand that it is not only humans who hold credentials. Servers, network devices and security tools often have passwords that enable integration and communication between devices. With access to machine-to-machine credentials, hackers can move throughout the enterprise, both vertically and horizontally, giving almost unfettered access to an IT system. Read Less

Dave Weinstein

January 21, 2020

CSO

Claroty

This incident highlights the degree to which China continues to view industrial espionage.

China has repeatedly demonstrated a propensity to target organisations at the intersection of industry and government, particularly as it relates to the defence sector. While no sensitive infrastructure information was compromised, according to reporting, the compromised personal information will undoubtedly be used to enable subsequent reconnaissance operations not only against Mitsubishi, but also its suppliers, customers, and partners -- both government and non-government. This incident.....Read More

Jonathan Knudsen

January 21, 2020

Senior Security Strategist

Synopsys

Cybersecurity cannot be effectively managed with a one-time effort, but must be woven into the fabric of each organisation.

As of 2020, essentially every business is a software business in some way, shape, or form. As such, software is critical infrastructure. It is an attractive target for attackers and many organisations have valuable information that must be protected. Software also serves as the foundation for other critical infrastructure, such as utilities, transportation, and healthcare. In these cases the stakes are even higher. Using a structured approach to minimizing risk means less danger for the organisation and its customers. Cybersecurity cannot be effectively managed with a one-time effort, but must be woven into the fabric of each organisation. A comprehensive security initiative includes three related efforts. First, organisations must control the supply chain of acquired software. Every piece of software presents some risk that must be evaluated and managed. Second, the security of software produced by the organisation must be managed using a secure development life cycle. Finally, an incident response plan ensures that the organisation can minimise damage when cyberattacks happen. Read Less

Jake Moore

January 21, 2020

Cybersecurity Specialist

ESET

I don’t think firms should hide in anonymity, as there is so much help on offer when it comes to a cyberattack.

When it is not a legality to confess to a breach, many companies would choose to not disclose any information about the hack and instead attempt to keep it hidden in the dark. However, I think we should be moving to a more honest approach: sharing information about data breaches openly. Whatever the size of the attack, I don’t think firms should hide in anonymity, as there is so much help on offer when it comes to a cyberattack. Some cyber professionals and the NCSC offer help for free- and it is nothing to be ashamed of. With the number of attacks on companies increasing exponentially, we have seen that these incidents don’t always impact them as much as first thought. Some businesses are afraid of sharing the details of hacks, but being honest with their customers and clients from the earliest opportunity will, in fact, highlight that we are all in this together. Communal help against threat actors is a far stronger defence to future proof us all. Read Less

Jake Olcott

January 22, 2020

VP of Government Affairs

BitSight

These organisations must recognise that their third parties can create risk to themselves and its core operations.

The Mitsubishi Electric data breach once again highlights the need for national organisations such as public services and Government agencies to take a proactive approach to monitoring their own third-party network of suppliers, in any sector. Management of third-party cyber risk is now a priority. These organisations must recognise that their third parties can create risk to themselves and its core operations. Actively measuring and managing third-party cyber risk is not a ‘nice to have’ – it’s a necessity to modern businesses. This requires verification, continuous monitoring, and active collaboration with an organisation’s third-party ecosystem; tools such as Security Ratings can provide significant value in constantly assessing this risk, for public sector bodies. Read Less

Greg Wendt

January 21, 2020

Executive Director

Appsian

The first line of defense is no longer a network firewall – it’s now the end users.

Business applications and systems have become a frequent target of espionage. Largely because compromising a user’s credential has been identified as the most effective way to access sensitive business information without appearing suspicious enough to trip security alerts. Global companies continue to prioritize traditional network security; however, threats are evolving rapidly and are increasingly becoming user-centric, originating at the business application level. Enterprises such as Mitsubishi Electric must gain a comprehensive understanding of how identity has become the new network perimeter in modern security environments which are governed by mobile devices, remote connectivity, and web-facing applications. The first line of defense is no longer a network firewall – it’s now the end users. Today’s threats have evolved to exploit these new weaknesses and unfortunately many organizations lag behind. It is critical to implement a multi-layered approach for users requesting access to sensitive data. For example: combining additional authentication steps, contextual attributes, and even fine-grained controls on specific data fields. It is not just about keeping data from bad actors, but also utilizing a least privilege strategy that never grants “high privilege” access to a user by default – but limits access to what data is deemed absolutely necessary. Read Less