This week a Japanese defence company has indicated it has been a victim of a spear phishing attack.
Mitsubishi Heavy Industries (MHI) stated that 10 locations, 38 computers and 45 network servers were compromised in the attack, but claim that they are confident that no data went missing. They appear to have identified malware running on the servers. It is not yet clear if this malware was detected by their routine security measures. The locations that have been compromised included a submarine manufacturing plant in Kobe and a missile plant in Nagoya which makes engine parts for missiles.
The attack came to light in August of this year and the company has since been compiling a detailed report to establish the extent of the compromise. The Japanese government appear to be displeased with MHI. The BBC writes that a second Japanese defence company (IHI) claim to have been receiving spear phishing emails for some time, but believe their systems have resisted all attempts of illegal access.
Attacks on defence companies are nothing new, following the well-publicised attacks in June against L-3 Communications and Lockheed Martin that quickly followed the alleged compromise of security tokens provided by RSA.
A range of stories and research have pointed fingers at a chinese cyber capability that is targeting companies, however this is strenuously denied by the Chinese government, despite some claims to the contrary. The recent Pentagon cyber strategy declared these attacks could be classified as an act of war and it’s clear that China equally takes these threats seriously. Whatever the rhetoric, one thing is clear; that cyber security issues of this type are here to stay, governments globally are investing in both defensive and offensive capabilities. Cyber security is now a national security concern. The stakes are high, as is the investment required to pull them off.
Whilst there may be evidence to suggest that China are engaged at least on some level, it is worth being careful of the automatic assumption that China is the source of all attacks.
The recent attacks on the Globalsign, DigiNotar and Comodo, which have led to the bankruptcy of Diginotar, were claimed on Pastebin by a person identifying themselves as Iranian, but with clear connections to Turkey. The LulzSec and Anonymous attacks have resulted in arrests in the United Kingdom and the US and are linked to a loosely political agenda. It seems that cyber crime and aggression knows no boundaries and it would be greatly over simplifying the problem to ascribe them to be the acts of a single nation.
More worrying still however, is the assumption that all is well. Security is fragile in any organisation, given that it can take just takes one incident to fatally compromise a system or network.
The security controls to limit a breach of the type associated with spear phishing can be frustratingly difficult to implement. How does an organisation know when it has been breached? It’s long been debated by security researchers such as Marcus Ranum that trying to ‘enumerate badness’ and second guess the payloads that an attacker might use in advance is an impossible challenge.
This means that organisations cannot rely solely on patterns matched by software such as anti-virus and content management devices. However trying to implement whitelist based approaches to enumerate all known good can also be difficult to implement. Technical solutions alone are unlikely to solve all security issues. An integrated approach to security covering people, process and technology, and an approach that seeks to educate staff of the dangers is required. Organisations need to achieve a balanced mix of good design, the correct amount of monitoring and well picked and maintained controls which rely on a mixture of knowing what’s bad and what’s good. Getting this balance just right is difficult and it remains to be seen whether MHI had this kind of approach to security and indeed the attackers have “not succeeded in accessing any important information”.