While still early, some researchers view the reported hacking into Fujitsu’s ProjectWEB software-as-a-service (SaaS) platform as as a nation-state attack not unlike the one that targeted the SolarWinds supply chain.
According to the Japanese National Center of Incident Readiness and Strategy for Cybersecurity, the agency investigating the attack, the intrusion was detected by Fujitsu on Monday, May 24. A day later, the tech giant temporarily shut down ProjectWeb. Impacted agencies include the Ministry of Land, Infrastructure, Transport and Tourism; the Ministry of Foreign Affairs; the Cabinet Secretariat; and Narita Airport in Toyko.
“As the Olympics approach, more cyberattacks are expected to target Japanese infrastructure and government agencies,” said Chenxi Wang, founder and general partner of Rain Capital. “We don’t know if this attack is tied to the Olympics, but it’s clear that the attackers are going after widely deployed platforms, similar to the SolarWinds attack in the United States. From the perspective of tactics, this does not feel like an economically-driven attack. Rather, this could be a nation-state sponsored event, aiming to steal critical government data or disrupt national infrastructure operations.”
Researchers at Recorded Future said in a blog post that stolen data included files that government employees stored on ProjectWEB, Fujitsu’s cloud-based enterprise collaboration and file sharing platform that’s broadly used by Japanese government agencies.
Recorded Future also credited local press in Japan for reports that hackers stole documents that contained more than 76,000 email addresses for employees and contractors for the Ministry of Land, Infrastructure, Transport, and Tourism, but government officials did not confirm these reports in a press conference Wednesday. No additional details about the incident are yet known, including who the attackers are or their goals.
Until officials complete the forensic investigation, there are still a lot of unknowns, but based on details about the information targeted and the lack of encryption or any corresponding ransom, Jeff Barker, vice president of cybersecurity at Illusive, expects the attack to be perpetrated by a nation-state. Barker also said platforms for collaboration and information sharing between companies typically contain high value information that a nation-state could exploit in future operations.
“Being careful not to speculate on the defensive failures and required corrective actions, I think it’s fair to say that every organization should perform an in-depth analysis of their current threat models and their defense-in-depth strategy,” Barker said. “To what degree are most companies a target now? Are there any gaps in your defense-in-depth controls, notably for the lateral movement TTPs prevalent in recent nation-state and ransomware attacks?”
Ilia Kolochenko, founder of ImmuniWeb, and a member of the Europol Data Protection Experts Network, agreed that the Fujitsu incident resembles the SolarWinds hack in the U.S. He added that this recent attack may have similar consequences, including enhanced cybersecurity regulations, comprehensive due diligence of governmental contractors similar to the Defense Department’s Cybersecurity Maturity Model Certification in the U.S., and likely additional funding for national cybersecurity in Japan.
“Surging supply chain attacks of national amplitude and multi-billion losses will probably trigger similar consequences around the globe,” Kolochenko said. “Spending more does not mean spending wiser. Legislators and regulators should consider a consistent, holistic, multistakeholder, and long-term cybersecurity strategy as a key factor for regulated organizations to prevent cyberattacks and reduce data breaches. Ad hoc or unstructured approaches do not work anymore.”
Chuck Everette, director of cybersecurity at Deep Instinct, said while we don’t yet know whether these actors gained unauthorized access because of a vulnerability or a targeted supply chain attack, they did manage to gain access. Everette said companies as large as Fujitsu need to understand that to cyber criminals, they are seen as the ultimate trophy.
“The best protection against attacks such as this one is a multi-layered approach using a variety of solutions,” he said. “A ‘prevention-first’ mindset is also key: attacks need to execute and run before they are picked up and checked to see if they are malicious, sometimes taking as long as 60 seconds or more. When dealing with an unknown threat, 60 seconds is too long to wait for an analysis.”