Published on January 21, 2020.
Based on an article from the Nikkei, this post introduces the large-scale cyberattack on Mitsubishi Electric, the possible leak of about 8,000 items of personal information, the suspected involvement of the China-linked hacker group “TiCk,” and the reality of targeted attacks against Japanese and South Korean companies. It discusses the need to strengthen cybersecurity by classifying information according to importance, reviewing email practices, and meeting security standards comparable to those required by the U.S. Department of Defense.

January 21, 2020
Mitsubishi Electric commented, “We have confirmed that no sensitive information related to social infrastructure or important information concerning business partners has been leaked,” and it appears that the company had taken countermeasures.
The following is from today’s Nikkei newspaper.
Mitsubishi Electric, Possible Information Leak
Cyberattacks on Japanese and South Korean Companies
Cyberattacks against Japanese and South Korean companies by criminals believed to be China-linked have been occurring one after another.
Their aim is to steal confidential information and intellectual property from defense and high-tech companies. Because they target specific companies, they are difficult to prevent with ordinary countermeasures, but if responses are delayed, transactions with the U.S. Department of Defense and others could be affected, making a fundamental review an urgent task.
Mitsubishi Electric announced on January 20 that it had suffered a large-scale cyberattack and that approximately 8,000 items of personal information and other data may have been leaked externally.
According to people familiar with the matter, a China-linked hacker group called “TiCk” may have been involved in the attack.
TiCk’s main method is first to attack private research firms and others, steal email accounts, impersonate those companies, send emails to the Chinese subsidiaries of targeted companies, and infect them with remote-control malware and similar tools.
It then uses the subsidiary’s system as a “stepping stone” to intrude into the network of the Japanese headquarters and steal confidential information.
In South Korea, information from IT companies and others has been targeted.
According to Trend Micro, TiCk’s activities became active around November 2018, with a sharp increase in the frequency of malware development, malware being malicious programs for cyberattacks.
It is said to be a highly skilled attack group, continually improving tools such as malware and slipping past inspections by security software and devices.
What makes it troublesome is that it is difficult for victim companies to trace the attacks.
Because communication logs, which are traces of the attack, are erased, it can sometimes take years before a company notices an intrusion.
There are concerns within the government that the attacks may already have spread not only to Mitsubishi Electric but also to other companies.
In addition to TiCk, there are multiple groups that launch “targeted attacks” against specific companies and organizations, such as “APT10,” which was criticized by the governments of the United States and Japan at the end of 2018.
The government is urging companies to strengthen information management, and the Ministry of Defense is studying revisions to standards for supplier companies so that they will meet security levels comparable to those required by the U.S. Department of Defense.
Countermeasures are not easy.
That is because the criminals also thoroughly investigate the countermeasure software already introduced by the targeted companies.
Mitsubishi Electric had also introduced a malware countermeasure system.
There are also cross-industry information-sharing organizations, but they depend on information disclosure from companies that have been attacked.
IT companies that handle security countermeasures provide services that monitor corporate systems, detect attacks early, and minimize damage.
Even so, according to a person familiar with the matter, “criminals analyze corporate weaknesses and develop new technologies, so countermeasures are a cat-and-mouse game.”
Sugiura Takayuki, representative director of the Japan Hacker Association, points out that “it is important to classify information according to its importance.”
The confidentiality level of information handled in business operations should be defined, and highly confidential information should be made inaccessible from outside.
The terminals used should be changed, and they should not be connected to the same network.
Mitsubishi Electric commented, “We have confirmed that no sensitive information related to social infrastructure or important information concerning business partners has been leaked,” and it appears that the company had taken countermeasures.
Because malware mainly targets computers and servers, it often does not operate normally on smartphones.
Using this characteristic, one possible method is to open emails, which are a major route of malware intrusion, on smartphones or tablets.
Sugiura advises that companies for which countermeasures are difficult because of heavy cost burdens should review how they handle email.
Delays in countermeasures relate to corporate credibility and governance.
By 2018, the U.S. Department of Defense had required contractors handling highly confidential important information, such as product specifications, to comply with the cyber defense guideline “NIST SP 800-171.”
Fujitsu has teamed up with U.S. cyber defense company Exostar and launched a service in Japan to ensure security.
Ota Taishu, senior evangelist, points out that “Japanese companies will also be required to establish information management systems on a par with those in the United States.”
Defense Minister Kono Taro told reporters on January 20, “It has been confirmed that there was no leak of sensitive information from the Ministry of Defense.”