The Laughing Man logo from Ghost in the Shell overlaid on the Mitsubishi logoPlenty of disturbing news following the discovery of a malicious virus in Mitsubishi Heavy Industries’ computers on Monday. The company, which suspended operations today due to a nationwide tour by Typhoon Roke (1115), has gagged its employees on the issue in an effort to exercise damage control.Having not long been home due to the typhoon shutting down the train network, hopefully you’ll forgive me for keeping this short.

Get up-to-date

Mitsubishi Heavy Industries is one of Japan’s largest defense contractors, involved in not only the manufacture of main battle tanks, fighters and destroyers for the three services, but also launch vehicles for satellite launches.

45 servers and 38 computers were found infected with eight types of viruses at a total of 11 company facilities in Japan, including its headquarters in Tokyo, shipbuilding yards in Nagasaki and Kobe, and its Nagoya Guidance and Propulsion Systems Works in Aichi Prefecture, which makes missiles and rocket engines. A Mitsubishi Heavy employee noticed abnormalities with the system in mid-August, leading the company to call in outside experts. It subsequently found its servers and computers were infected with viruses which could prompt information to leak outside the company, the officials said.

The viruses confirmed to have infected the MHI servers and PCs included a Trojan horse virus, which allowed senders to gain access to infected PCs. The sender can then transmit information from the infected machine to their computer. According to the sources, an information security firm that copied and analyzed the virus discovered simplified Chinese characters on screens used by the senders. The Chinese characters include those for “automatic” (meaning automatic access), “catch” for the function to remotely control infected PCs, and two Chinese characters that mean “video” or “image,” the sources explained.

Jason Hart, CEO of CryptoCard, said: “Spear phishing is an unsophisticated form of attack, but by targeting what remains the chink in any organisation’s security policy (static passwords), it is highly effective. “Invariably employees use the same password to access applications across the corporate network because it is easy for them to remember. This represents a serious weakness, as once hackers have this, they can go anywhere and access any data they want to help themselves to.”

Kyodo news agency, citing police, reports that additional weekend denial-of-service attacks temporarily blocked access to the government websites of the National Personnel Authority, a video distribution service and a site run by the cabinet office.

The wave of cyber attacks targeting the Japanese government and Japanese companies come in the wake of the 80th anniversary of the Manchurian Incident, which triggered the full-scale Japanese invasion of China. [UK Telegraph lede]

According to press reports, Foreign Ministry spokesman Hong Lei dismissed suggestions that the attacks against Mitsubishi originated in China. “The Chinese government has consistently opposed hacking attack activities. Relevant laws strictly prohibit this,” Hong told reporters for Reuters, the Associated Press, and other outlets, during a regular press briefing Tuesday. “Criticism that China initiated a cyberattack is not only groundless, it goes against development of international cooperation on cybersecurity,” Hong said.

Servers and computers at Japan’s IHI Corp were targeted in a cyber attack and the company is in contact with police about it. IHI supplies engine parts for fighter planes to the Defence Ministry as well as containment vessels and pressurised vessels for nuclear reactors.

IHI Corp, which builds engine parts for fighter planes, had been sent suspicious emails, about which it had informed the police. Kawasaki Heavy Industries, a producer of planes, helicopters and rocket systems, confirmed that it had also been receiving “virus-tainted” emails.


It seems very possible now that the Japanese defense industry was the target of a “spear phishing” campaign, possibly at the hands of Chinese hackers, unofficially or otherwise. Again, the focus should be on tightening up security rather than finger-pointing. Such actions have plenty of plausible deniability and Japan would be better served by getting its IT house into order first. Time will tell as to the true nature of the infections and attacks, but the egg is squarely on MHI’s face for not catching this sooner.

[H/T @security4all]

GD Star Rating

Related posts:

A former contributor to World Intelligence (Japan Military Review), James Simpson joined Japan Security Watch in 2011, migrating with his blog Defending Japan. He has a Masters in Security Studies from Aberystwyth University and is currently living in Kawasaki, Japan. His primary interests include the so-called 'normalization' of Japanese security (i.e. militarization), and the political impact of the abduction issue with North Korea.
James Simpson has 254 post(s) on Japan Security Watch