Mitsubishi Electric Confirms Major Data Breach – Expert Commentary

Mitsubishi Electric released a statement today confirming that the company was hit by a data breach dating back to late June last year. It’s speculated that the cyberattack is linked to a Chinese cyber-espionage group, Tick (or Bronze Butler), that is well-known for targeting Japan over the past few years. The unauthorized access was tracked to a compromised employee account. Hackers were also able swipe 200 MB of files by accessing Mitsubishi Electric’s internal systems and networks.

Experts Comments

January 21, 2020
Vinay Sridhara
CTO
Balbix
The attack on Mitsubishi Electric highlights the all too sobering reality that security is only as strong as the weakest link, with connected affiliates and third parties in the supply chain constituting links as well. In this case, it appears that a China-based Mitsubishi affiliate was infiltrated via a compromised employee account. As with many other attacks, that foothold was used to move laterally across the network, ultimately giving the attackers access to 14 business units......Read More
The attack on Mitsubishi Electric highlights the all too sobering reality that security is only as strong as the weakest link, with connected affiliates and third parties in the supply chain constituting links as well. In this case, it appears that a China-based Mitsubishi affiliate was infiltrated via a compromised employee account. As with many other attacks, that foothold was used to move laterally across the network, ultimately giving the attackers access to 14 business units. Unfortunately, vulnerability scanning typically revolves around unpatched software on managed assets, creating a risk blind spot for most organizations. A compromised employee account would not show up on traditional vulnerability assessments. It is critical that two-factor authentication via a trusted second factor is deployed to reduce risk of breaches that occur from compromised credentials within an organization. It is important for enterprises to understand that it is not only humans who hold credentials. Servers, network devices and security tools often have passwords that enable integration and communication between devices. With access to machine-to-machine credentials, hackers can move throughout the enterprise, both vertically and horizontally, giving almost unfettered access to an IT system.  Read Less
January 21, 2020
Dave Weinstein
CSO
Claroty
China has repeatedly demonstrated a propensity to target organisations at the intersection of industry and government, particularly as it relates to the defence sector. While no sensitive infrastructure information was compromised, according to reporting, the compromised personal information will undoubtedly be used to enable subsequent reconnaissance operations not only against Mitsubishi, but also its suppliers, customers, and partners -- both government and non-government. This incident.....Read More
China has repeatedly demonstrated a propensity to target organisations at the intersection of industry and government, particularly as it relates to the defence sector. While no sensitive infrastructure information was compromised, according to reporting, the compromised personal information will undoubtedly be used to enable subsequent reconnaissance operations not only against Mitsubishi, but also its suppliers, customers, and partners -- both government and non-government. This incident highlights the degree to which China continues to view industrial espionage as a legitimate means of gaining competitive advantages, both economically and geopolitically.  Read Less
January 21, 2020
Jonathan Knudsen
Senior Security Strategist
Synopsys
As of 2020, essentially every business is a software business in some way, shape, or form. As such, software is critical infrastructure. It is an attractive target for attackers and many organisations have valuable information that must be protected. Software also serves as the foundation for other critical infrastructure, such as utilities, transportation, and healthcare. In these cases the stakes are even higher. Using a structured approach to minimizing risk means less danger for the.....Read More
As of 2020, essentially every business is a software business in some way, shape, or form. As such, software is critical infrastructure. It is an attractive target for attackers and many organisations have valuable information that must be protected. Software also serves as the foundation for other critical infrastructure, such as utilities, transportation, and healthcare. In these cases the stakes are even higher. Using a structured approach to minimizing risk means less danger for the organisation and its customers. Cybersecurity cannot be effectively managed with a one-time effort, but must be woven into the fabric of each organisation. A comprehensive security initiative includes three related efforts. First, organisations must control the supply chain of acquired software. Every piece of software presents some risk that must be evaluated and managed. Second, the security of software produced by the organisation must be managed using a secure development life cycle. Finally, an incident response plan ensures that the organisation can minimise damage when cyberattacks happen.  Read Less
January 21, 2020
Jake Moore
Cybersecurity Specialist
ESET
When it is not a legality to confess to a breach, many companies would choose to not disclose any information about the hack and instead attempt to keep it hidden in the dark. However, I think we should be moving to a more honest approach: sharing information about data breaches openly. Whatever the size of the attack, I don’t think firms should hide in anonymity, as there is so much help on offer when it comes to a cyberattack. Some cyber professionals and the NCSC offer help for free- and.....Read More
When it is not a legality to confess to a breach, many companies would choose to not disclose any information about the hack and instead attempt to keep it hidden in the dark. However, I think we should be moving to a more honest approach: sharing information about data breaches openly. Whatever the size of the attack, I don’t think firms should hide in anonymity, as there is so much help on offer when it comes to a cyberattack. Some cyber professionals and the NCSC offer help for free- and it is nothing to be ashamed of. With the number of attacks on companies increasing exponentially, we have seen that these incidents don’t always impact them as much as first thought. Some businesses are afraid of sharing the details of hacks, but being honest with their customers and clients from the earliest opportunity will, in fact, highlight that we are all in this together. Communal help against threat actors is a far stronger defence to future proof us all.  Read Less
January 22, 2020
Jake Olcott
VP of Government Affairs
BitSight
The Mitsubishi Electric data breach once again highlights the need for national organisations such as public services and Government agencies to take a proactive approach to monitoring their own third-party network of suppliers, in any sector. Management of third-party cyber risk is now a priority. These organisations must recognise that their third parties can create risk to themselves and its core operations. Actively measuring and managing third-party cyber risk is not a ‘nice to have’ .....Read More
The Mitsubishi Electric data breach once again highlights the need for national organisations such as public services and Government agencies to take a proactive approach to monitoring their own third-party network of suppliers, in any sector. Management of third-party cyber risk is now a priority. These organisations must recognise that their third parties can create risk to themselves and its core operations. Actively measuring and managing third-party cyber risk is not a ‘nice to have’ – it’s a necessity to modern businesses. This requires verification, continuous monitoring, and active collaboration with an organisation’s third-party ecosystem; tools such as Security Ratings can provide significant value in constantly assessing this risk, for public sector bodies.  Read Less
January 21, 2020
Greg Wendt
Executive Director
Appsian
Business applications and systems have become a frequent target of espionage. Largely because compromising a user’s credential has been identified as the most effective way to access sensitive business information without appearing suspicious enough to trip security alerts. Global companies continue to prioritize traditional network security; however, threats are evolving rapidly and are increasingly becoming user-centric, originating at the business application level. Enterprises such as.....Read More
Business applications and systems have become a frequent target of espionage. Largely because compromising a user’s credential has been identified as the most effective way to access sensitive business information without appearing suspicious enough to trip security alerts. Global companies continue to prioritize traditional network security; however, threats are evolving rapidly and are increasingly becoming user-centric, originating at the business application level. Enterprises such as Mitsubishi Electric must gain a comprehensive understanding of how identity has become the new network perimeter in modern security environments which are governed by mobile devices, remote connectivity, and web-facing applications. The first line of defense is no longer a network firewall – it’s now the end users. Today’s threats have evolved to exploit these new weaknesses and unfortunately many organizations lag behind. It is critical to implement a multi-layered approach for users requesting access to sensitive data. For example: combining additional authentication steps, contextual attributes, and even fine-grained controls on specific data fields. It is not just about keeping data from bad actors, but also utilizing a least privilege strategy that never grants “high privilege” access to a user by default – but limits access to what data is deemed absolutely necessary.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.