Two more major Japanese defense contractors admitted to experiencing a data breach in recent years, bringing to a close a story that began in January when Japanese defense minister Taro Kono revealed that several partner organizations had been attacked. But though the full outline of the damage is now visible, many questions about how (and when) it was reported remain.
The two companies involved were geospatial surveying firm Pasco and Kobe Steel. Pasco was breached in 2018, while the first breach of Kobe Steel occurred in June 2015. Both companies reported being infected with malware, and it is possible that files were stolen from their internal networks as well.
Nearly five years of undisclosed data breaches?
The Ministry of Defense stated that the other defense contractors, Mitsubishi Electric and NEC, were hacked between 2016 and 2019.
Officials believe that the attacks were not directly related to each other. The defense contractors suffered differing levels of damage. An official statement from Pasco indicated that the hackers did not steal any information, but Kobe Steel (which also operates under the global trade name Kobelco) did not reveal details about breach damage. Financial newspaper The Nikkei is reporting that 250 files containing personal information and information about the Ministry of Defense were stolen from Kobelco servers. Kobe Steel manufactures submarine parts for the country’s military.
Mitsubishi Electric disclosed that about 200 MB of documents containing confidential and personal information may have been exposed to attackers on June 28, 2019. The company is heavily involved with various defense systems and infrastructure in the country, and the confidential documents included bidding information for defense equipment research contracts. Mitsubishi apparently kept PDF copies of these paper documents on their servers even though that is against government directives.
There was unauthorized access of the servers at NEC’s defense business unit in December 2016, but the company has stated that they have found no evidence of information exfiltration.
Why did the defense contractors wait so long?
Defense Minister Kono stated that the data breaches of the defense contractors were disclosed ” … to get the world to know and think about defenses.” However, a reporting delay of years (or even months) would be considered unusual in much of the world, and would even be in violation of the law in some places (such as the EU).
Japanese national law has some provisions for personal data protection under the Act on the Protection of Personal Information (APPI), which was created in 2003 and heavily revised in 2015. However, even the present revised form does not require companies to notify the public of data breaches. It also is specific to personal data, not necessarily pertaining to breaches of confidential company information.
The government response is limited to first making an informal request of the company to rectify the breach. Failing that, the government can then give a formal order and assess fines (limited to only about the equivalent of $4,600) but there is no provision forcing the company to notify the public.
Japanese companies are basically thus trusted to self-report data breaches both to the government and the public, something that clearly did not happen in a timely manner in this case. Mitsubishi was the only company to offer an explanation for the long delay, stating that it took eight months from the 2019 attack to perform an internal investigation as activity logs had been removed by the hackers.
The remaining defense contractors did confirm that the data breaches were initially identified either months or years prior to the recent announcement, but did not provide answers as to why the incidents that contained the exposure of personal information were not reported sooner.
Identity of the hackers
The source of the cyber attacks has not been confirmed by any of the defense contractors, but there is strong speculation that Chinese hacking group Tick was involved with at least some of them. Also referred to as Bronze Butler and Rebaltknight, this group is known for targeting industrial operations in Asia with a particular focus on Japanese firms.
This connection is based on a statement from a Pasco official implicating Tick in their 2018 data breach, as well as reporting from The Nikkei on the Mitsubishi incident. Reports from Japanese security researchers also indicate that a known exploit in Trend Micro’s OfficeScan product file upload system is something that Tick is believed to have exploited in other hacking attempts.
The dangers of delayed breach reporting
Organizations will sometimes go to great lengths to cover up data breaches, as demonstrated by Uber’s payoff to hackers in 2016. This could be due to desire to avoid damage to the company’s reputation (and possibly value), it could be out of an abundance of caution as an investigation takes place, and very often it is a little from both columns. There is a significant competing public interest in this information being made available, however, which is why laws such as the GDPR put such tight time limits on breach reporting.
It is also possible that an organization might genuinely not notice a data breach for months or even years, given that sophisticated hackers have become very good at covering their tracks. As Tal Zamir, Founder and CTO of Hysolate, points out:
“For years we had been seeing the number of days it takes to identify a breach reduce year over year, but just this year that number climbed again and it’s because attackers are getting better and smarter at covering their tracks. But they’re still using the same techniques to get their way in – though endpoints. Once an attacker has made their way onto an endpoint, it’s far too easy for them to gain access to credentials and pivot their way to sensitive information. We recommend that organizations isolate sensitive information – especially defense organizations that arguably hold some of the most valuable secrets and data. It’s critical to keep this information locked-down and separate from the areas where workers conduct day-to-day activities which are more at risk.”
Even though Japan’s Act on the Protection of Personal Information was heavily revised in 2015, it still does not require companies to notify of #databreach. #respectdata Click to Tweet
The incident involving the Japanese defense contractors also highlights the importance of knowing what data protection laws are in place for partner companies in foreign countries who may be in possession of confidential company information or employee data.