Numerous offices run by Japanese government agencies have been breached through a hacked Fujitsu tool for sharing information known as “ProjectWEB”.

A specialist in communications equipment and technology based in Japan, Fujitsu confirmed that malicious operators had acquired unauthorised access to certain projects that employed ProjectWEB and managed to successfully steal customer data.

While a comprehensive investigation is now underway, it is not presently clear if the breach was caused by an exploited vulnerability or if the target was in fact subject to a supply chain attack.

Thousands of email addresses accessed by attackers

A recent joint statement made by Japan’s National center of Incident readiness and Strategy for Cybersecurity (NISC) and the country’s Ministry of Land, Infrastructure, Transport and Tourism, announced that the operators behind the attack were able to acquire inside information using Fujitsu’s compromised data-sharing tool, ProjectWEB.

The information sharing solution was developed by Fujitsu to empower organisations and enterprises to exchange data internally, with stakeholders and project leads.

After obtaining unauthorised access to Japanese government systems through ProjectWEB, the cybercriminals were enabled to acquire around 76,000 individual email addresses, as well as proprietary information such as the dedicated mail system’s settings.

According to Fujitsu literature, since 2009, the information sharing tool has seen extensive use and been involved in about 7,800 different projects.

The email addresses exposed in the incident included those belonging to external parties, including Council of Experts members, all of whom have now been notified individually.

Far-reaching cyber strikes

Japanese press also reported that Narita International Airport, situated near the capital Tokyo, was also impacted by the compromised tool, with Fujitsu attackers managing to steal private flight schedules, air traffic control data and business operations information.

Additionally, the Ministry of Foreign Affairs in Japan has also been hit by a data breach in which multiple study resources were disclosed to unauthorised threat operators.

In reaction, the NISC issued numerous advisories to alert critical infrastructure organisations and government agencies employing Fujitsu’s data-sharing tool to investigate and look for signs of any unauthorised access and data leakage.

A spokesperson from Fujitsu commented in a recent statement:

“Fujitsu can confirm unauthorized access to ‘Project WEB,’ a collaboration & project management software, used for Japanese-based projects. Fujitsu is currently conducting a thorough review of this incident, and we are in close consultation with the Japanese authorities. As a precautionary measure, we have suspended the use of this tool, and we have informed any potentially impacted customers.”

The technology company also stated it would be informing the relevant authorities while working directly with its customers to identify what caused the breach.

Businesses that have their systems or software compromised leading to data breaches are obligated to inform both data regulators and impacted individuals, from customers and clients to vendors and suppliers.

Here in the UK, companies suffering a data breach have 72 hours to notify the Information Commissioner’s Office (ICO) or face heavy financial penalties. Data subjects impacted by a leak must also be informed with details of the breach, what measures the company has taken and advice on how to mitigate potential harm.