Japan's Largest Defense Contractor Hacked

wiredmikey writes "Mitsubishi Heavy Industries Ltd, Japan's largest defense contractor, has been a victim of a cyber attack, according to a report from the company. The company said attackers had gained access to company computer systems, with some reports saying the attacks targeted its submarine, missile and nuclear power plant component businesses. According to The Yomiuri newspaper, approximately 80 systems had been infected with malware at the company's headquarters in Tokyo, as well as manufacturing and research and development sites, including Kobe Shipyard & Machinery Works, Nagasaki Shipyard & Machinery Works and Nagoya Guidance & Propulsion System Works. 'We can't rule out small possibilities of further information leakage but so far crucial data about our products or technologies have been kept safe,' a Mitsubishi Heavy spokesman told Reuters. 'We've found out that some system information such as IP addresses have been leaked and that's creepy enough,' the spokesman added."

what the data security run by Sony?

[lecheiron]

that must explains it.

Re:

[antdude]

"what the data security run by Sony?" sounds funny. :)

A soft perimeter is a good thing.

[Karmashock]

Letting hackers half way into your system especially when you're dealing with state sponsored hacking groups or corporate espionage is not a horrible idea so long as you make it work for you.

After all even though they're in your systems you have have an opportunity to log them in a way that you don't if they're just scrapping on the outside. Build a multi-tiered defense and let them get all the information that you don't actually care about. For example... promotional information and publicly released data. You can also have dummy files thrown around with garbage data filled in rather then the real specs. Have fun with it. But the really secret stuff... consider not having that on the network at all. If you're talking about top secret information... maybe that calls for an armed courier.

Re:A soft perimeter is a good thing.

[Dunbal]

Congratulations you have (re)invented the Honey Pot [wikipedia.org].

Re:

[Karmashock]

You have to take the random anti american trolls in stride... we do... They're shambling zombies littering the post apocalyptic political wasteland that is their ideology. Scrapping around... medically dead... moaning for brains.

Best you can do is stock lots of food and assume a defensible position. They'll burn themselves out eventually.

Re:

[X0563511]

Yea, I'm sure that perspective isn't biased at all...

Re:

[MokuMokuRyoushi]

Interestingly, I'm suspicious that you'd find an equal number of American males of the same desire.

Re:

[Wyatt Earp]

But they are creating slow cultural suicide with declining birth rates and an aging population without enough young workers to support the welfare system for the older generation.

As for being more civilized, the acts committed by Imperial Japan across eastern Asia and the Pacific Rim really call that civilization into question.

Please tell me how German civilization is superior to all other European cultures.

Re:

[triffid_98]

But they are creating slow cultural suicide with declining birth rates and an aging population without enough young workers to support the welfare system for the older generation.

I'm pretty sure the plan was to implant all of the old people into robot bodies but Honda spent all of their R+D money on this 'Asimo' thing instead of the Gundams the Health Ministry asked for.

Re:

[Wyatt Earp]

That would be fracking awesome.

Like Robot Nixon.

Re:

[That Guy From Mrktng]

Hey! “the ministry of agriculture is not in charge of Gundam” [japantrends.com]

Re:

[Karmashock]

Oh, I'm sure someone else has had similar ideas. I just think these should be applied systemically when protecting high profile systems.

Have the outer defenses strong enough to ward off all the casual attackers and then just let the more dangerous guys in so you can track them rather then letting them learn the limitations of your system let them think they evaded detection.

Re:

[Anonymous Coward]

Better yet, have engineers design flaws into the "valuable" information that would go undetected until the devices self-destruct while in use. A few metric to imperial conversion errors is all it takes.

Re:

[networkBoy]

Worked fine for the CIA and oil pipeline specs "stolen" by the KGB...

Re:

[Karmashock]

Secret associations. There's the file and the modification to the file and back up hard copy unaltered files that will be consulted prior to doing anything. But if someone goes rifling through things why not make the crap convenient.

I'm just saying you're not going to stop every intrusion. So why not plan for a successful intrusion to work for you. I wouldn't go so far as to give them bogus plans mostly because I don't want to give them even that much. I want to track the intrusion. Maybe make it easy to ge

Re:

[Tekfactory]

Get yourself some Data Extrusion Detection and Data Loss Prevention thinking going on.

The bad guy will get in, but most often one of your users will open an email with a PDF or other broken but normal looking file in it, whatever the payload is, it will drop on the user's system when they open the document. It will call home to its Command and Control node, the bad man will use that machine as a pivot point to access other machines. You never saw him come in because the user's machine opened up an outbound

Re:

[Karmashock]

it's a good point but really I don't see why we're giving users the ability to do that at all.

I think a good it department should be able to run almost entirely on security whitelists. And that outbound connection isn't included in the whitelist.

Port 80 is only to approved URLs through an internal DNS server. Email is only through the corporate email server. Etc.

If they want to talk to a machine on the internet that the IT department hasn't vetted they can issue a ticket and the IT dep will get to it.

Again,

Re:A soft perimeter is a good thing.

[JoshuaZ]

There are allegations that the US did just that to the Soviet Union during the cold war. See http://www.zdnet.co.uk/news/it-strategy/2004/03/01/us-software-blew-up-russian-gas-pipeline-39147917/ [zdnet.co.uk].

Re:

[Karmashock]

They copied enough things bolt for bolt to earn that little treat.

Re:

[Biff Stu]

So they stole the plans from PG&E?

Re:

[X0563511]

That worked so well for all of us when those Chinese capacitors started exploding (and kept exploding) for fucking years...

Re:

[Karmashock]

Not if you disable local file storage.

We're moving towards cloud computing already and at the corporate level especially where security becomes that paranoid I think requiring everyone to RDP into a virtualized environment is entirely legitimate. So sure... it will be on their system... But their system will inherently not be low security if they access to those files.

Come on, I thought this was site for IT wonks. :-)

First rule of computer security is PHYSICAL security. You can have all the fancy encryption

Re:

[erroneus]

Except that is not how it works.... nice dream though.

I am not going to comment any further than this, but I have considerable inside knowledge of this situation and the things which enable it to happen.

That said, many people already know some of the reasons this has happened from previous news stories. When the lights come on in your head, you will know what I'm talking about.

Re:

[Karmashock]

Sadly I'm not in your esteemed in crowd so I have no idea what you're talking about.

Care to share or are you having fun being mysterious?

Re:

[Tekfactory]

Not quite so certain what Parent is being mysterious about. However Grandparent's idea of the soft and chewy outside is a terrible misinterpretation of defense in depth.

You own some of the less valuable folks, you own some of the less valuable data, now you can send authentic looking emails from real coworkers to people on the sensitive side.

Not that their recon isn't already doing this, some of the emails they use are very convincing.

Advanced Persistent Threats know a lot about their targets before they ev

Re:

[Karmashock]

email servers wouldn't be chewy... that's the sort of thing that would be in the castle keep. Though obviously you'd want to fragment the system by department so the advertisement department wouldn't compromise something else... as an example.

Re:

[erroneus]

To be less mysterious, I don't want to say anything that might compromise my employment.

Re:

[That Guy From Mrktng]

Sadly this POS forum does not allow anonymous cowards... are you reverse-baiting? oh wait

Re:

[Karmashock]

you can respond anonymously.... so... you're being pretty mysterious by refusing to answer on the grounds that you don't want to be identified.

Re:

[gstrickler]

Be sure to include some encrypted files with obscure names. The encrypted data can either be disinformation, or publicly available info, or random garbage, but the encryption and intriguing names will waste some of their time.

Re:

[Karmashock]

Exactly. Let robber into the vault and let him walk away with a sack... he doesn't have to know he's carrying bundles of newspaper clippings.

Re:

[ColdWetDog]

Be sure to include some encrypted files with obscure names. The encrypted data can either be disinformation, or publicly available info, or random garbage, but the encryption and intriguing names will waste some of their time.

Kim Kardashian_nkd_wedding.zip.rar.exe.app

Re:

[black soap]

So all those misattributed song files on napster were really.... DRM?

Re:

[gstrickler]

A little exercise can firm up that soft perimeter for you.

Re:

[Karmashock]

My suggestion is that it be intentionally soft at least in appearence. The notion would be that it wouldn't be that hard to get in. Hard enough maybe to keep out the casual or inexperienced hacker. But not so tough as to give a pro a headache. But at the same time you set it up so that while it doesn't forbid little tricks to get in it has a disproportionally sophisticated detection and logging system. So it notices when there is an intrusion even if it isn't stopping it. I think that would help the securit

Re:

[gstrickler]

Whoosh.....!

Lose your sense of humor???

Re:

[Karmashock]

I'm binary with stuff like that. My humor is on or off. Sorry... It has no dimmer switch.. I tend to switch it off when I get analytical and switch it on when I get bored.

Re:

[gstrickler]

Well, upgrade to a 4-bit system. :)

Re:

[Karmashock]

It will have to be added in the next version... I think the issue is hardware based and not even a firmware update would help.

Aww, got my hopes up...

[John Pfeiffer]

I was hoping someone had gotten out technical documents of bipedal weapons platforms, or powered armor, or SOMETHING. :(

Re:Aww, got my hopes up...

[ddxexex]

This was a defense contractor they hacked.

If they wanted Gundam, they would have hacked a contractor for the ministry of agriculture...

Re:

[tlhIngan]

This was a defense contractor they hacked.

If they wanted Gundam, they would have hacked a contractor for the ministry of agriculture...

Daily Planet (a Canadian science magazine show on Discovery Canada) had just a segment last week...

http://watch.ctv.ca/clip531934#clip531934 [watch.ctv.ca]

What I can't believe is how they just danced around the whole "it's a mech" term. It's amusing to watch in its own right as the host just refuses to call it what it is.

Oh yeah, it has guns, too! And yes, it's from a company that makes fa

Re:

[sabt-pestnu]

> Oh yeah, it has guns, too!

Rubber ball cannons. They don't count as "weapons" though.

Re:

[Calydor]

Fill each little rubber ball with some unstable nitroglycerine or other explode-on-impact chemical and I assure you it's a weapon. Get shot in the face by one as-is and you'll call it a weapon, too.

Re:

[anti-pop-frustration]

The ministry of agriculture is not in charge of Gundam. The Gundam ministry is in charge of Gundam.

Re:

[KillaBeave]

I was hoping someone had gotten out technical documents of bipedal weapons platforms, or powered armor, or SOMETHING. :(

I was also hoping that Mitsubishi had went from Zero to Heero as well ...

Re:

[DarthVain]

They did though it was mostly useless having been designed for 15 year old girls to pilot... The uniforms were also rejected due to the probability of lawsuits...

In unrelated news

[elrous0]

Chinese defense contractors announced today that they have made a series of tremendous advancements in submarine, missile, and nuclear power plant component technology.

Re:

[Ramin_HAL9001]

Chinese defense contractors announced today that they have made a series of tremendous advancements in submarine, missile, and nuclear power plant component technology.

@elrous
Exactly. At first I thought this might have been stuxnet accidentally spread to Asia. But already it is starting to look like it may have been a separate, highly targeted attack. Guess which country hates Japan and has the capabilities to carry out cyber warfare? Hint: it's not North Korea (though North Korea does hate Japan).

very interesting...

[PJ6]

looks like a job for Section 9

fail

[Charliemopps]

How many times does this have to happen before these businesses realize they should not be on the internet... period. You're either inside the building, or your not logged in. It's that simple.

Re:

[Rogerborg]

"The" building? What, you think Mitsubishi is one single big building containing all of its global employees, development, admin, sales and support? And that none of them need to be able to communicate with anyone outside. You know, their customers? Is that really what you think? That it's "that simple"?

Pause. Apply brain. Type.

Re:

[Charliemopps]

You clearly have no idea how enterprise networks work. I said "The internet" You can have a GLOBAL network and not have it connected to the internet. getting into this network requires you to be inside "The building" or any number of buildings owned by the business.

Re:

[JamesP]

Yeah, sure. For 10x to 100x the cost.

Of course, they can use a VPN. Of course, they are too smart to do that.

What, in turn, makes someone have an external connection to the Internet so that they can do their work. Oops.

They are 'stuck' with an MS stack of course.

Re:

[antifoidulus]

Don't know about Mitsubishi, but a lot of organizations do try to keep as much of their really sensitive material off of the internet as possible, but at the end of the day you cannot expect to design and manufacture a submarine from end-to-end in a single physical location. Where it makes sense you can run your own fiber, but that can get real expensive real quick. At the end of the day compromises must be made(and of course never, ever trust anything to Windows, but that seems to be a lesson people just

Re:

[hjf]

(and of course never, ever trust anything to Windows, but that seems to be a lesson people just don't get)

And you cannot expect to design a submarine from end-to-end using Linux either...

Re:

[drinkypoo]

Only if you're building a new type of submarine, because then you're going to need to write new tools. If you're the government you could force the tool vendors to develop the new ones for Linux. Some vendors are moving that way anyway due to interest, e.g. cadence tools ported to Linux when IC designers started sitting at them instead of X terminals... all those potential seats!

Re:

[That Guy From Mrktng]

Japanese are renowned for stuff that "just works" maybe they were running an Apple stack all the way down, Japan loves them. You can make a sub end-to-end in Apple stuff, right?

Re:

[jackbird]

If you're the government you could force the tool vendors to develop the new ones for Linux.

CATIA and Solidworks are sold by a partnership of IBM and a huge French aerospace conglomerate. If Linux-champion IBM hasn't ported them (especially since they are supported on a few non-x86 UNIX variants), you can bet there's a good reason.

Oh, you want NX / I-DEAS instead? Well, then you just need to convince Siemens to roll over for you.

Or do you want to slum it and use something by Autodesk? The day they releas

Re:

[X0563511]

Where it makes sense you can run your own fiber, but that can get real expensive real quick.

Why would you do that? You can send the traffic through the internet just fine. You just have to use a secured VPN.

Monster movies then (kinetic) vs. now (cyber)

[Shoten]

I'm just picturing Godzilla, sitting at a computer in a basement somewhere...

Re:

[Commontwist]

I'm just picturing Godzilla, sitting at a computer in a basement somewhere...

Between surfing the 'net for dragon porn.

Wrong company

[smooth wombat]

It is Tamaribuchi Heavy Manufacturing Concern who merged with Matsumura Fishworks a while back. They're the ones who make Mr. Sparkle.

"... system information such as IP addresses ..."

[tqk]

'We've found out that some system information such as IP addresses have been leaked and that's creepy enough,' the spokesman added."

Er, what?

nslookup www.mhi.co.jp
Server: UnKnown
Address: 10.0.1.1

Non-authoritative answer:
Name: www.mhi.co.jp
Address: 202.228.55.2

I must be missing something. I'm sure a little digging would turn up their production network FQDN if it's Internet facing (which it apparently is).

Re:

[Anonymous Coward]

Maps of network internals can turn up routable unsecured devices like printers, APs with old firmware, that forgotten server in that closet etc. that can be used to harvest login credentials or exploit the network further if the devices are trusted.

Re:

[Commontwist]

Maps of network internals can turn up routable unsecured devices like printers, APs with old firmware, that forgotten server in that closet etc. that can be used to harvest login credentials or exploit the network further if the devices are trusted.

True. My old workplace networking division was searching for where the internal infection of Conflicker was coming from.

I re-told them about the wonder of nmap ("Huh? What's that?" @_@) that I had mentioned briefly (and was obviously ignored and forgotten) and discovered the worm was coming from one of their internal web servers located in the same physical room as their office. And these were our network security guys who sold security systems. *sigh*

Re:

[robmv]

OMG!!! you published your DNS ip address!!!

Re:

[JamesP]

They probably hired their good friends, Sony Computer, to do the auditing for them...

Creepy?

[ThatsNotPudding]

I find it hard to believe a spokesperson for a Japanese corporation used the word 'creepy', but hey; wire services are never wrong.

Re:

[X0563511]

Probably a translation issue. I'm sure the word closer to the original meaning was 'unsettling'

How many times?

[inglorion_on_the_net]

How many wake-up calls like this do organizations the world over need before they start doing computer security right?

Just had to get that off my chest.

Re:

[That Guy From Mrktng]

Who would they be revenge-hacking? China? Israel? They both have the same info as US defense contractors and it's probably easier to hack directly from the source.. erm, oh now I get your point, clever AC.

Not surprised

[Anonymous Coward]

I worked for one of the Mitsubishi manufacturing companies in the US and this isn't a surprise. Security was never a focus. They acted like we were completely secure, yet any number of systems were in the proxy-bypass group. Add to that lackluster policies on updating AV and workstation security patches. Bet it sucks for my former co-workers today.