Fujitsu pulls ProjectWEB tool offline after apparent supply chain attack sees Japanese infosec agency data stolen
No sign of ransomware - or attacker's identity, so far
A Fujitsu project management suite is causing red faces at the Japanese company’s HQ after “unauthorised access” resulted in data being stolen from government agencies, local reports say.
Chief cabinet secretary Katsunobu Kato told Japan’s Nikkei financial newspaper earlier today: “We are asking Fujitsu to contact us promptly if we confirm an information leak.”
The firm’s ProjectWEB tool was reportedly accessed by an unidentified “third party” who helped themself to data from, among others, Japan’s Ministry of Foreign Affairs, its Cabinet Office Cyber Security Centre and the Ministry of Land (MoL). Around 76,000 email addresses were reportedly copied from the MoL’s servers, including those of private businesses that communicated with the agency.
ProjectWEB is Fujitsu’s in-house knowledge management tool used by its software division. First introduced in 1998, it appears (judging by this academic paper, among others) that about a decade ago Fujitsu was hoping ProjectWEB would become a worldwide earner in the same way as Six Sigma boosted General Electric’s fortunes in the 1990s.
The tool is reportedly in wide use within the Japanese private and public sectors alike, drawing further comparisons with the unholy trinity of F5, Citrix and Pulse Secure vulns used to compromise large numbers of Western businesses in recent months.
So far the identity of the attackers is not publicly known, though the ongoing nature of the compromises, against various organisations and government agencies which appear to still be operating, do not suggest a ransomware component. Nonetheless, Fujitsu has shut down ProjectWEB and pulled it offline.
The Japan Broadcasting Association (NHK), the local equivalent of the BBC, reported that on 20 May data was stolen through a ProjectWEB deployment used in Tokyo Narita airport, the capital’s main international hub.
While local reports are guarded in their wording, a Taiwanese news outlet said “data such as equipment and composition used by the information system” was stolen from the Cabinet Office Cyber Security Centre shortly afterwards.
Oz Alashe, chief exec of behavioural security platform CybSafe, commented: “The attack on these Japanese government agencies is a stark reminder of the cyber risks posed by the supply chain. Securing their own networks, data and users is a challenge in itself for organisations, and the threat of data loss and compromise via third parties in the supply chain adds a new layer of complexity to the equation.
A Fujitsu spokesman told The Register: “Fujitsu is currently conducting a thorough review of this incident, and we are in close consultation with the Japanese authorities. As a precautionary measure, we have suspended use of this tool, and we have informed any potentially impacted customers.”
“We apologize for the great concern and inconvenience caused to all concerned parties, and will do our utmost to support the victims after consulting with the relevant authorities,” added a statement originally sent by Fujitsu to the Nikkei financial newspaper.
In the UK, Fujitsu has been in the headlines lately for its starring role in the Post Office scandal, the biggest miscarriage of justice in British legal history. ®