Japan’s Critical Infrastructure Under Attack

Wednesday, February 24, 2016 @ 01:02 PM gHale

It is easy to work and live in a vacuum and think security issues exist only within your realm, but protecting critical infrastructure remains a global concern.

Just look at Japan.

There has been a multi-year, multi-attack campaign against the Japanese critical infrastructure, according to a report from security firm Cylance’s SPEAR team. SPEAR, which stands for tands for Sophisticated Penetration, Exploitation, Analysis, and Response, is an advanced research team consisting of Cylance veterans.

FireEye Fixes Bypass Flaw
Cisco Fixes Firewall Vulnerability
Malware Targeting Ukraine Power Grids
Cloud Provider Under Attack

Researchers found how a well-organized and well-funded threat group, likely associated with a nation/state, used a series of different attacks and techniques to infiltrate and gather sensitive information from companies in electric utilities, oil and gas, finance, transportation and construction. Cylance called the attack Operation Dust Storm.

The attack group is currently focusing on Japanese companies or Japanese divisions of larger foreign organizations. The group focuses on exploiting Android-based mobile devices because these types of attacks are more prevalent in the mobile-centric business cultures in Asia, according to researchers.

SPEAR researchers do not think the attacks were meant to be destructive or disruptive. However, our team believes attacks of this nature on companies involved in Japanese critical infrastructure and resources are ongoing and are likely to continue to escalate in the future.

“Operation Dust Storm has slowly evolved over time to become increasingly effective,” SPEAR researchers said. “Early operations were extremely blunt, relatively unsophisticated, and readily picked up by the security industry. As the group became more and more focused on Japan, less and less of their tactics and malware appeared in reports or write-ups. The targets identified escalated both in size and in the scope of affected industries.

“As a result, SPEAR felt obligated to share with the community and public what was discovered recently, to hopefully stunt the attackers’ progress for a time. SPEAR has been closely following the aftermath of public reporting. We have decided that even though disclosure often forces attackers to change, it also enables defenders to better detect and expel “real” threats from their environments.”

Highlights of the research include, current activity has shown an exclusive focus on Japanese companies or Japanese divisions of larger organizations not headquartered in Japan.

Also, the campaign goes over five years of multiple cyber attacks against companies in Japan, South Korea, the U.S. and Europe.

In addition, after evaluating the malware at the first stages of attack, Cylance found evidence the motive is long-term data exfiltration.

Critical infrastructure targets include electric utilities, oil and gas, finance, transportation and construction and last year Cylance researchers found two more waves of attacks that started in July and October. One of the primary targets was a Japanese subsidiary of a South Korean electric utility.

As a point of reference, the attacks used spear phishing, waterholes, backdoors and Zero Days to breach corporate networks and Android-based mobile devices.

Also, researchers said the attack campaign used customized malware for particular target organizations; one 2015 attack involved the use of a backdoor variant designed specifically to compromise the investment arm of a major Japanese automaker.

Click here for the complete Operation Dust Storm report.