Nuclear plant and missile maker Mitsubishi breached in latest cyber attacks

Security experts at Trend Micro have uncovered another large-scale, co-ordinated campaign of targeted attacks, this time focused on compromising data at a series of defence industry companies including Mitsubishi Heavy Industries in Japan.

The firms in question, which were also located in Israel, India and the US, were all targeted in a similar way in an attack which began in July.

The attack starts as a targeted email containing a malicious PDF attachment designed to exploit a vulnerability in Adobe Flash and Reader, according to Trend Micro. The malicious payload dropped onto the machine then connects to a command-and-control server and sends network and file name information.

"Certain targets are instructed to download custom DLLS, detected by Trend Micro as BKDR_HUPIG.B, that contain specific functionality related to the compromised entity," Trend Micro senior threat researcher Nart Villeneuve wrote in a blog post.

"Once inside the network, the attackers issue commands that cause the compromised computer to download tools that allow them to move laterally throughout the network including those that enable 'pass-the-hash' techniques."

The compromised machine is then made to download a remote access Trojan (RAT).

"By staging the attacks this way, the attackers maintain two separate methods of control. The first allows them to schedule commands to be run by the compromised computer when it connects to the command-and-control server. The second allows attackers to take real-time control of the compromised computer using the RAT," said Villeneuve.

Japanese defence contractor Mitsubishi Heavy Industries, which builds submarines, missiles and nuclear power plants, is the first publicly named victim.

Only 32 computers were compromised, according to Trend Micro, so it appears to be another highly targeted attack, and once again all eyes will be turning towards China, as they were with the Shady RAT, Night Dragon and Operation Aurora attacks.

The Chinese government has always denied any involvement in cyber attacks on the West, instead claiming to be the victim, but was caught apparently red handed last month after a documentary programme on a military channel seemed to show a live attack being carried out via a US IP address.

Whatever the origin, the latest revelations will once again focus minds on the importance not only of superior threat intelligence and blocking tools, but employee education in these highly sensitive industries.

As a side note, the Japanese government has reportedly expressed its anger at Mitsubishi's not following protocol and reporting immediately and initially to the government when it learned of the breach. 

How a company deals with the aftermath of what are now becoming almost weekly occurrences is almost as important as how they prepare for them.