Kawasaki Kobe Shipyard in Japan. (663highland/CC BY-SA 3.0)

Some information from the overseas offices of Kawasaki Heavy Industries may have been leaked as a result of a breach, announced the manufacturer, which counts Boeing and the Japanese Defense Ministry among its customers.

A Kawasaki announcement said the scope of the unauthorized access spanned multiple domestic and overseas offices, causing a delay of several months before the company could formally announce the incidents.

On June 11, an internal system audit revealed an unauthorized connection to a server in Japan from an overseas office in Thailand. Within the same day, communication between the overseas office and Kawasaki’s Japan office was terminated. However, the company also discovered other unauthorized accesses last summer to servers in Japan from other overseas sites in Indonesia, the Philippines, and the United States.

In the aftermath of the incidents, the company worked closely with an independent external security firm which confirmed that information of “unknown” content may have been leaked to a third party, but not sensitive personal information.  

However, the The Japan Times reports that the hack may have targeted defense-related information held by Kawasaki Heavy Industries, which produces aircraft and submarines for the Japanese Defense Ministry and supports a number of defense contracts with ally nations. In the United States the company works closely with Boeing on commercial jets.

Kawasaki said all affected customers have been contacted individually. In addition, the company formed a cybersecurity group on Nov. 1 that reports to the corporate president. The new group is charged with strengthening security measures and analyzing the latest unauthorized access methods to prevent any future incidents.

Shawn Wallace, vice president of energy at IronNet Cybersecurity, said technology companies and defense contractors are constant targets for data and intellectual property theft and should have robust cybersecurity programs  because they know they are targets.

“The fact that this attack was successful leads me to believe it’s most likely a nation-state using sophisticated tools,” Wallace said. “I find it frustrating that the attack was not shared outside Kawasaki for several months. Who knows if other defense contractors were breached using the same offensive tools, but are unaware because they have not detected it? If Kawasaki would have admitted the breach and shared IOCs or TTPs sooner, then other attacks may have been prevented.”

Chad Anderson, senior security researcher at DomainTools, added that while not many details from the Kawasaki breach have been released, it’s a positive step that they have established a dedicated cybersecurity team.

“Companies taking security more seriously is always a win for themselves and the consumer,” Anderson said. “Second, this breach from a satellite office shows what is often the case: adversaries will target smaller branch offices and vendors knowing that their security may not be as good as their main target, but that the main target still trusts the branch office’s security nonetheless. This is similar to what we observed with SolarWinds most recently and dozens of other attacks throughout this year.”

Chris Morales, head of security analytics at Vectra AI, pointed out that he sees misconfiguration of privilege access quite often and it’s a pervasive problem in the industry.

“Managing access control and data permissions is difficult without a proper understanding of the who, what, and where of data access models,” Morales said. “To truly understand data flow and access, organizations need to observe privilege based on real world activity and assess the access that does occur. This would allow an organization to differentiate between what should and should not occur.”