Mitsubishi Electric conceded on 20 January that they suffered a major security breach last year. The breach happened on 28 June 2019 and an official internal probe was initiated in September.
"Mitsubishi Electric Corporation is aware that our network has been subject to unauthorised access by third parties. We have confirmed that trade secrets may have leaked out," goes a rough translation of the Japanese announcement.
"After recognising suspicious behavior in a terminal in our company on 28 June last year, we promptly restricted external access. We have taken measures and reported the incident to relevant organisations," it said.
The Tokyo-based global electronics and electrical equipment manufacturing business disclosed the data breach after Japanese national dailies reported stories about the incident.
Japanese-language dailies Asahi Shimbun and Nikkei named the Chinese-linked cyber-spy group named Tick (a.k.a.Bronze Butler) for the incident. The threat group has been reportedly behind several similar incidents in Japan.
"We have reported the situation to potential customers regarding the potential disclosure of trade secrets," said the translated announcement. "We deeply apologise for causing great concern and inconvenience to the concerned people and related customers."
Japanese news reports say that the intrusion was tracked to a compromised employee account. Hackers accessed close to 14 departments including sales and the head administrative office. Unauthorised access began with the company’s affiliates in China and later spread to its bases in Japan, said the Asahi report.
"As of 2020, essentially every business is a software business in some way, shape, or form. As such, software is critical infrastructure. It is an attractive target for attackers and many organisations have valuable information that must be protected," commented Jonathan Knudsen, senior security strategist at Synopsys.
"Software also serves as the foundation for other critical infrastructure, such as utilities, transportation, and healthcare. In these cases the stakes are even higher. Using a structured approach to minimising risk means less danger for the organisation and its customers."
What makes the situation serious is the fact that Mitsubishi is a top defence contractor of the Japanese government. Any access to defence-related information becomes a matter of national security.
Going by the news reports, this incident highlights the degree to which China continues to view industrial espionage as a legitimate means of gaining competitive advantages, both economically and geopolitically, noted Dave Weinstein, CSO at Claroty.
"China has repeatedly demonstrated a propensity to target organisations at the intersection of industry and government, particularly as it relates to the defence sector. While no sensitive infrastructure information was compromised, according to news reports, the compromised personal information will undoubtedly be used to enable subsequent reconnaissance operations not only against Mitsubishi, but also its suppliers, customers, and partners -- both government and non-government."
The fact that attackers gained access to the company systems through the company’s affiliates shows that cyber-security cannot be effectively managed with a one-time effort, said Knudsen.
"A comprehensive security initiative includes three related efforts. First, organisations must control the supply chain of acquired software. Every piece of software presents some risk that must be evaluated and managed. Second, the security of software produced by the organisation must be managed using a secure development life cycle. Finally, an incident response plan ensures that the organisation can minimise damage when cyber-attacks happen."