Mitsubishi Electric released a statement today confirming that the company was hit by a data breach dating back to late June last year. It’s speculated that the cyberattack is linked to a Chinese cyber-espionage group, Tick (or Bronze Butler), that is well-known for targeting Japan over the past few years. The unauthorized access was tracked to a compromised employee account. Hackers were also able swipe 200 MB of files by accessing Mitsubishi Electric’s internal systems and networks.
Mitsubishi Electric discloses security breach
* Main suspect: China's Tick (Bronze Butler) APT
* Breach date: June 28, 2019
* Point of origin: employee account at Chinese affiliate
* Intruder stole 200MB from "tens of PCs" and deleted access logshttps://t.co/BQUoaK5aNL pic.twitter.com/2fKf79ubew
— Catalin Cimpanu (@campuscodi) January 20, 2020
The Mitsubishi Electric data breach once again highlights the need for national organisations such as public services and Government agencies to take a proactive approach to monitoring their own third-party network of suppliers, in any sector. Management of third-party cyber risk is now a priority. These organisations must recognise that their third parties can create risk to themselves and its core operations. Actively measuring and managing third-party cyber risk is not a ‘nice to have’ – it’s a necessity to modern businesses. This requires verification, continuous monitoring, and active collaboration with an organisation’s third-party ecosystem; tools such as Security Ratings can provide significant value in constantly assessing this risk, for public sector bodies.
China has repeatedly demonstrated a propensity to target organisations at the intersection of industry and government, particularly as it relates to the defence sector. While no sensitive infrastructure information was compromised, according to reporting, the compromised personal information will undoubtedly be used to enable subsequent reconnaissance operations not only against Mitsubishi, but also its suppliers, customers, and partners — both government and non-government. This incident highlights the degree to which China continues to view industrial espionage as a legitimate means of gaining competitive advantages, both economically and geopolitically.
As of 2020, essentially every business is a software business in some way, shape, or form. As such, software is critical infrastructure. It is an attractive target for attackers and many organisations have valuable information that must be protected. Software also serves as the foundation for other critical infrastructure, such as utilities, transportation, and healthcare. In these cases the stakes are even higher. Using a structured approach to minimizing risk means less danger for the organisation and its customers.
Cybersecurity cannot be effectively managed with a one-time effort, but must be woven into the fabric of each organisation. A comprehensive security initiative includes three related efforts. First, organisations must control the supply chain of acquired software. Every piece of software presents some risk that must be evaluated and managed. Second, the security of software produced by the organisation must be managed using a secure development life cycle. Finally, an incident response plan ensures that the organisation can minimise damage when cyberattacks happen.
When it is not a legality to confess to a breach, many companies would choose to not disclose any information about the hack and instead attempt to keep it hidden in the dark. However, I think we should be moving to a more honest approach: sharing information about data breaches openly. Whatever the size of the attack, I don’t think firms should hide in anonymity, as there is so much help on offer when it comes to a cyberattack. Some cyber professionals and the NCSC offer help for free- and it is nothing to be ashamed of.
With the number of attacks on companies increasing exponentially, we have seen that these incidents don’t always impact them as much as first thought. Some businesses are afraid of sharing the details of hacks, but being honest with their customers and clients from the earliest opportunity will, in fact, highlight that we are all in this together. Communal help against threat actors is a far stronger defence to future proof us all.
Business applications and systems have become a frequent target of espionage. Largely because compromising a user’s credential has been identified as the most effective way to access sensitive business information without appearing suspicious enough to trip security alerts. Global companies continue to prioritize traditional network security; however, threats are evolving rapidly and are increasingly becoming user-centric, originating at the business application level.
Enterprises such as Mitsubishi Electric must gain a comprehensive understanding of how identity has become the new network perimeter in modern security environments which are governed by mobile devices, remote connectivity, and web-facing applications. The first line of defense is no longer a network firewall – it’s now the end users. Today’s threats have evolved to exploit these new weaknesses and unfortunately many organizations lag behind. It is critical to implement a multi-layered approach for users requesting access to sensitive data. For example: combining additional authentication steps, contextual attributes, and even fine-grained controls on specific data fields. It is not just about keeping data from bad actors, but also utilizing a least privilege strategy that never grants “high privilege” access to a user by default – but limits access to what data is deemed absolutely necessary.