Just a couple of weeks ago, fearing a repeat of the Colonial Pipeline-like hack, Japan had announced stringent regulations for critical services in the private sector. It had already tightened the screws in the public sector in 2018 by restricting procurement of foreign equipment in government purchases. However, no obligations were imposed on its local service providers. Call it complacency or pure coincidence, but the island nation is currently facing one of its worst nightmares because of a local tech giant Fujitsu. A hack in Fujitsu’s Software-as-a-Service (SaaS) platform, “ProjectWEB,” has affected multiple Japanese government offices that have reported incidents of data theft.
Introduced in 1998 due to the increasing number of security incidents, Fujitsu’s ProjectWEB was initially developed as an in-house knowledge management tool for the company itself. Later in the mid-2000s, looking at the benefits it had for enterprises, the platform was then introduced as a cloud-based SaaS for public-facing offices and businesses in Japan. ProjectWEB was probably Fujitsu’s very own “Microsoft Teams” platform back in the day. It allowed collaboration and file-sharing both with internal and external stakeholders for ease of work. As per Fujitsu’s 2009 datasheet, it had 3,000 clients using ProjectWEB, including government and private enterprises.
Japanese Government Offices Hacked
Japan’s local news daily NHK, on Wednesday, first reported that multiple Japanese offices were hacked resulting in leaks of many critical datasets. As per the initial investigation, the cybercriminals reportedly first gained access to Fujitsu’s software at Narita Airport near Tokyo. There, they stole the Air Traffic Control’s critical information and then moved to other governmental offices. In a separate report, the Ministry of Land, Infrastructure, Transport, and Tourism also reported unauthorized “third-party” access on its information-sharing system (which again is Fujitsu’s ProjectWEB) that leaked around 76,000 email addresses of its contractors and employees.
Japan’s Cabinet Cyber Security Center informed that the leak took place on May 24 and asked all agencies and private enterprises using Fujitsu’s ProjectWEB to stay alert and look out for any signatures or suspicious activities and possible leaks through their network. The Cabinet did not confirm other governmental agencies that were affected in this compromise but a report from Radio Taiwan suggests that even the National Center of Incident readiness and Strategy for Cybersecurity (NISC), which is responsible for information security countermeasures in the Japanese government, fell prey to it. It added that “data such as equipment and composition used by the information system in the center were also stolen.”
However, the NISC itself is leading the investigation behind the hack and asked Fujitsu to temporarily suspend its ProjectWEB services. Fujitsu has obliged and is further analyzing the scope and impact of the hack. The company has issued a press release stating, “We take this case very seriously and will continue to consult with the relevant authorities and make every effort to support the victims.”
A similar supply chain attack that shook the world earlier in the year was Accellion’s FTA hack. The company’s legacy file transfer sharing software, which was reaching its end of life, was exploited by cybercriminals who targeted multiple sectors with it across the globe. Supply chain attacks have seen an uptick since the SolarWinds attack in December 2020, and Fujitsu’s ProjectWEB could very well be Japan’s very own SolarWinds.