Japan's Space Exploration Agency reported this week that it experienced a cyber incident this past summer stemming from a breach of Microsoft Active Directory - raising concerns that nation-state actors might be after the country's space program data. Chief cabinet secretary Hirokazu Matsuno raised the topic of the incident in a morning briefing on Nov. 29, mentioning that the agency investigated and preliminarily found that illegal access had indeed taken place. The agency was allegedly unaware of the attack until it was contacted by the authorities. As mentioned, the breach was located in the organization's AD environment, the central server that manages access control for JAXA's network, including admin passwords for corporate applications. According to The Japan News, an official related to JAXA reportedly stated that "As long as the AD server was hacked, it was very likely that most of the information was visible. This is a very serious situation," though there is much that has not yet been confirmed. This is not the first time that this Microsoft component has led to a compromise of information. Just earlier this year, US Sen. Ron Wyden wrote to the heads of CISA, the Justice Department, and the FTC asking them to hold Microsoft responsible after a Microsoft 365 breach due to three vulnerabilities in its Exchange Online email service and the Azure Active Directory. Just prior to that, it was discovered that a stolen Microsoft account key could allow threat actors to create access tokens for a variety of different types of Azure Active Directory applications. The breach raises concerns that Japan's space program has been exposed, according to Ted Miracco, CEO of mobile security company Approov, who noted that JAXA has been a target before; in 2016 and 2017, JAXA was among 200 Japanese companies and research institutes allegedly targeted by Chinese military hackers. "The cyberattack on Japan's aerospace exploration agency bears all the characteristics reminiscent of past incidents, raising questions about the involvement of state-sponsored actors," Miracco said via email. "In the historical context, previous attacks were linked to Chinese military hackers, and the reported exploitation of a vulnerability disclosed by a network equipment manufacturer in June adds a layer of sophistication to the attack, indicating a state-sponsored attack. He added,"The motivation behind the cyber intrusion, given the nature of JAXA's operations in satellite development and advanced missions, points towards an interest in strategic intelligence and technological advancements. Understanding the identity, methods, and motivations of the perpetrators becomes crucial in fortifying cybersecurity measures to mitigate future risks, as these attacks are unlikely to stop anytime soon. JAXA has shut down part of its network and launched a full investigation to determine the scope of the breach and its impact. The agency is working with the central government, as well as police, on the matter.
This Cyber News was published on www.darkreading.com. Publication date: Fri, 01 Dec 2023 19:20:04 +0000