Cyber ​​attack on HOYA US subsidiary Is confidential information disclosed on a dark site?

An expert investigation revealed that an American subsidiary of HOYA, a major optical equipment company that handles contact lenses, was attacked by a cyber attack, and data that appeared to be stolen confidential information was released on a dark site, and the company was attacked. I am in a hurry to identify the contents.

A cybercrime group called "Astro Team" stole about 300 gigabytes of confidential data such as financial and customer information last week, targeting the server of an American subsidiary of HOYA, a major optical equipment company headquartered in Shinjuku-ku, Tokyo. I was issuing a criminal statement on the net.

After that, before 1:30 am on the 24th of Japan time, an expert survey revealed that a criminal group published multiple files on a site set up on the highly anonymous dark site = dark web on the Internet. I understand.

The dark web can also be attacked by cyber attacks simply by accessing it in areas of the Internet that can only be accessed in special ways.

According to experts, the published files

include

▽

documents containing data on the customer's eyesight, such as lens power

,

▽

list of customer addresses, phone numbers, and credit card information,

▽ It included employee salary statements and internal emails.

Takashi Yoshikawa of Mitsui Bussan Secure Direction, who conducted the investigation, said, "It seems that the attack was caused by a ransom-requesting virus that demands money instead of disclosing stolen data, and Capcom, a major game company, was attacked in Japan last year. The damage is expanding. Companies need to strengthen security measures such as externally connected devices. "

HOYA said, "A US subsidiary suffered a system failure due to a cyber attack, but has since recovered. Initial investigations suggest that the failure is limited to systems in the United States, and the scope of the attack. And we are asking an expert to investigate to identify the content. "

Ransomware virus that demands ransom

The ransom-demanding virus that seems to have been used in this attack is called "ransomware," and when infected, it automatically encrypts the data stored on a computer or other device and demands a ransom in exchange for restoration. ..

There is also a malicious technique called "exposure type" that threatens to leak data if you do not pay after stealing confidential information in advance, and damage is occurring one after another in Japan.

In November of last year, a major game software company, Capcom, was attacked by a weakness of a virtual private network device called "VPN" and infected with ransomware. It was revealed that the personal information of 5,649 people was leaked.

Also, in January, it was confirmed that the server of the Yamagata Chamber of Commerce and Industry was infected, and information such as the staff's address, career, salary, etc. was leaked on the highly anonymous dark site = dark web. I will.

Furthermore, in February, the server of a consulting company for local governments entrusted by the Ministry of Internal Affairs and Communications was infected, and it is possible that personal information related to the business entrusted by about 80 local governments and ministries was leaked. Became clear.

According to the National Police Agency, at least 23 cases of "ransomware" damage were received from companies and other police agencies nationwide last year.

In addition, when information security company "Crowd Strike" surveyed security officers of major companies in the world from August to September last year, 103 out of 200 respondents from Japan were up to that point. They answered that they were damaged by "ransomware" during the year.

What is the "Astro Team" that issued the criminal statement?

According to Takashi Yoshikawa of Mitsui Bussan Secure Direction, who is familiar with ransom-demanding viruses, the group claiming to be the "Astro Team" who issued the criminal statement has been confirmed to attack companies around the world since February. A cybercrime group is conducting attacks with ransom-type viruses.

After invading from the central server of the target organization in advance, it carefully scouts the system under it, steals important information of the organization, encrypts it with a virus, and demands a ransom. If you do not respond, it is characterized by exposing the stolen data.

So far, it has been confirmed that it has attacked French power companies, Spanish cosmetics makers, and American medical device makers.

According to Mr. Yoshikawa, these groups tend to target the weaknesses of remote-connected devices used in Corona's telework, and the following are effective countermeasures.

▽ Introduce multi-factor authentication for login

▽ Allow only a limited number of people to connect from the outside

▽ Update software and devices

▽ Strengthen server monitoring to notice abnormalities