Monday, October 17, 2011

Police Find Matching Modus Operandi in Mitsubishi Heavy, Kawasaki Heavy Cases

Via Daily Yomiuri Online (Japan) -

Police increasingly believe the same hacker was responsible for the recent cyber-attacks on Mitsubishi Heavy Industries Ltd. and Kawasaki Heavy Industries Ltd.

A computer virus found in the attack on Kawasaki Heavy Industries, which was sent by e-mail through a computer at the Society of Japanese Aerospace Companies (SJAC), forced infected personal computers to access a Web site in the United States, sources close to the issue said Saturday. Police have found that infected PCs at Mitsubishi Heavy Industries were made to access the same Web site.

The police suspect the hacker used the U.S. site as a so-called springboard, via which the attacker manipulated computer terminals from the outside. Springboards refer to PCs and computer servers used as communication relay points by cyber-attackers to prevent their originating port from being identified.


According to the sources, Kawasaki Heavy Industries received e-mails whose senders posed as SJAC officials and member company employees at least three times from June to August. Police analyzed viruses hidden in the e-mails and found they contained programs that force infected PCs to access Web sites and exchange data.

The police discovered the Web site involved in this case had an Internet protocol address registered in California.

The virus confirmed to have been used in the attacks against Mitsubishi Heavy Industries performed the same function. In addition to the California-registered site, infected computers had communicated with Web sites in Japan and other countries including China and India.

The U.S. site was likely to have been infected with viruses and manipulated by someone from the outside, investigators said.

The Web site in question appears to have been closed as early as mid-September, when the cyber-attacks on Mitsubishi Heavy Industries came to light.

Information security experts said hackers use such contacts with outside Web sites to have viruses placed in targeted companies' servers send information or to instruct the viruses to reproduce themselves.

Attackers usually abandon such sites once they achieve their goals or their attacks are discovered, the experts said.

The police suspect the person who attacked Mitsubishi Heavy Industries and Kawasaki Heavy Industries used the U.S. Web site to steal information from the companies and then transmitted it to other Web sites.

"In the past, unrelated hacker groups have coincidentally used the same servers as springboards," said Norihiko Maeda, a researcher at Kaspersky Lab Japan, a manufacturer of antiviral software. "Usually, hackers use different springboards for individual attacks, so the same server is rarely used by two or more criminal groups."

"[However, because the police investigation revealed that] the same attacker likely targeted the two companies, it's become clearer that the attacker aimed to steal Japanese defense secrets. Authorities must quickly investigate communication records and other data from the springboards," he said.

No comments:

Post a Comment