While not all that surprising, the Daily Yomiuri reports today that the infection of Mitsubishi Heavy Industries computers and at Kawasaki Heavy Industries were likely committed by the same perpetrator having discovered that a US-based server acted as a springboard for the reception of data stolen by the viruses.
A computer virus found in the attack on Kawasaki Heavy Industries, which was sent by e-mail through a computer at the Society of Japanese Aerospace Companies (SJAC), forced infected personal computers to access a Web site in the United States, sources close to the issue said Saturday. Police have found that infected PCs at Mitsubishi Heavy Industries were made to access the same Web site.
The police suspect the hacker used the U.S. site as a so-called springboard, via which the attacker manipulated computer terminals from the outside. Springboards refer to PCs and computer servers used as communication relay points by cyber-attackers to prevent their originating port from being identified.
I noted a Kyodo press report on the use of the SJAC server on Saturday and wondered whether this was an automated attack and whether SJAC was the Typhoid Mary that opened the door to these defense industries. That possibility still exists in my mind, although it is impossible to be sure without a more complete picture. It is interesting to note that there hasn’t been much (if any) mention of the origin of the MHI attack, even the Yomiuri‘s diagram (to the right) leaves it as an open question.
That said, the Yomiuri quotes a security expert who feels differently:
“In the past, unrelated hacker groups have coincidentally used the same servers as springboards,” said Norihiko Maeda, a researcher at Kaspersky Lab Japan, a manufacturer of antiviral software. “Usually, hackers use different springboards for individual attacks, so the same server is rarely used by two or more criminal groups.”
“[However, because the police investigation revealed that] the same attacker likely targeted the two companies, it’s become clearer that the attacker aimed to steal Japanese defense secrets. Authorities must quickly investigate communication records and other data from the springboards,” he said.
Exploiting the logs of the computers involved in Japan and abroad will be the key to completing this jigsaw puzzle. However, it is likely that the full details, and quite probably the culprit too, will never be known.
A former contributor to World Intelligence (Japan Military Review), James Simpson joined Japan Security Watch in 2011, migrating with his blog Defending Japan. He has a Masters in Security Studies from Aberystwyth University and is currently living in Kawasaki, Japan.
His primary interests include the so-called 'normalization' of Japanese security (i.e. militarization), and the political impact of the abduction issue with North Korea.
James Simpson has 254 post(s) on Japan Security Watch