[BreachExchange] Is the attack on Fujitsu’s ProjectWEB SaaS platform the next SolarWinds?

[Sophia Kingsbury]

https://www.scmagazine.com/home/security-news/data-breach/is-the-attack-on-fujitsus-projectweb-saas-platform-the-next-big-supply-chain-attack/

While still early, some researchers view the reported hacking into
Fujitsu’s ProjectWEB software-as-a-service (SaaS) platform as a
nation-state attack with similarities to the SolarWinds hack that
infiltrated government agencies.

According to the Japanese National Center of Incident Readiness and
Strategy for Cybersecurity <https://www.nisc.go.jp/eng/>, the agency
investigating the attack, the intrusion was detected by Fujitsu on Monday,
May 24. A day later, the tech giant temporarily shut down ProjectWeb.
Impacted agencies include the Ministry of Land, Infrastructure, Transport
and Tourism; the Ministry of Foreign Affairs; the Cabinet Secretariat; and
Narita Airport in Tokyo.

 “As the Olympics approach, more cyberattacks are expected to target
Japanese infrastructure and government agencies,” said Chenxi Wang, founder
and general partner of Rain Capital. “We don’t know if this attack is tied
to the Olympics, but it’s clear that the attackers are going after widely
deployed platforms, similar to the SolarWinds attack in the United States.
>From the perspective of tactics, this does not feel like an
economically-driven attack. Rather, this could be a nation-state sponsored
event, aiming to steal critical government data or disrupt national
infrastructure operations.”

Researchers at Recorded Future said in a blog post
<https://therecord.media/fujitsu-suspends-projectweb-platform-after-japanese-government-hacks/>
that
stolen data included files that government employees stored on ProjectWEB,
Fujitsu’s cloud-based enterprise collaboration and file sharing platform
that’s broadly used by Japanese government agencies.

Recorded Future also credited local press in Japan for reports that hackers
stole documents that contained more than 76,000 email addresses for
employees and contractors for the Ministry of Land, Infrastructure,
Transport, and Tourism, but government officials did not confirm these
reports in a press conference Wednesday. No additional details about the
incident are yet known, including who the attackers are or their goals.

Until officials complete the forensic investigation, there are still a lot
of unknowns, but based on details about the information targeted and the
lack of encryption or any corresponding ransom, Jeff Barker, vice president
of cybersecurity at Illusive, expects the attack to be perpetrated by a
nation state. Barker also said platforms for collaboration and information
sharing between companies typically contain high value information that a
nation-state could exploit in future operations.

“Being careful not to speculate on the defensive failures and required
corrective actions, I think it’s fair to say that every organization should
perform an in-depth analysis of their current threat models and their
defense-in-depth strategy,” Barker said. “To what degree are most companies
a target now? Are there any gaps in your defense-in-depth controls, notably
for the lateral movement TTPs prevalent in recent nation-state and
ransomware attacks?”

Ilia Kolochenko, founder of ImmuniWeb, and a member of the Europol Data
Protection Experts Network, agreed that the Fujitsu incident resembles the
SolarWinds hack in the U.S. He added that this recent attack may have
similar consequences, including enhanced cybersecurity regulations,
comprehensive due diligence of governmental contractors similar to the
Defense Department’s Cybersecurity Maturity Model Certification in the
U.S., and likely additional funding for national cybersecurity in Japan.

“Surging supply chain attacks of national amplitude and multi-billion
losses will probably trigger similar consequences around the globe,”
Kolochenko said. “Spending more does not mean spending wiser. Legislators
and regulators should consider a consistent, holistic, multistakeholder,
and long-term cybersecurity strategy as a key factor for regulated
organizations to prevent cyberattacks and reduce data breaches. Ad hoc or
unstructured approaches do not work anymore.”

Chuck Everette, director of cybersecurity at Deep Instinct, said while we
don’t yet know whether these actors gained unauthorized access because of a
vulnerability or a targeted supply chain attack, they did manage to gain
access. Everette said companies as large as Fujitsu need to understand that
to cyber criminals, they are seen as the ultimate trophy.

“The best protection against attacks such as this one is a multi-layered
approach using a variety of solutions,” he said. “A ‘prevention-first’
mindset is also key: attacks need to execute and run before they are picked
up and checked to see if they are malicious, sometimes taking as long as 60
seconds or more. When dealing with an unknown threat, 60 seconds is too
long to wait for an analysis.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210528/6590f1bc/attachment.html>