A security audit has found that 123 computers in Japan’s Finance Ministry were infiltrated by malware that went undetected for nearly two years. According to media reports, the ministry said that no confidential taxpayer information was exposed. It is not known who was behind the hack, which started in 2010 and continued until the end of 2011.
The Japan Times speculates that hacktivist group Anonymous could have been behind the malware, having threatened an attack earlier this year. Yet, it is not likely that Anonymous carried out this attack.
The first instances of the ministry Trojan malware started in January 2010, well before Anonymous came to prominence as a global group of malicious hackers in mid-2011.
And Anonymous does not usually launch “phishing” or “spear phishing” attacks, where poisoned emails are sent to a select group of victims in the hope that they will be tricked into downloading malware. Early indications are that the ministry was hit was just such an attack.
Instead, Anonymous deploys brute-force tactics, attacking and defacing sites and gaining hooks into databases through operations called SQL injections. A successful SQL injection includes an SQL query of data from a client to an application. It is an effective way to find large data sets, which Anonymous is fond of publishing. See attacks on Booz Allen Hamilton and HBGary.
From what is known now, the Ministry of Finance attack does not fit that profile.
According to reports, 123 of 2,000 computers checked in the Japanese Finance Ministry (the equivalent of the U.S. Internal Revenue Service) were infected. The ministry claims that the computers mostly belonged to junior officials, most likely restricting data accessed to internal ministry communications.
The virus went undetected by antivirus software.
Updated antivirus programs spot known viruses. Assuming the ministry’s software was current, the perpetrators likely used a “Zero Day” hack, which exploits a previously unknown vulnerability. When malware goes undetected for a long time, it is likely that the malware is being controlled from an outside server that can send it instructions on when and how to hide itself.
This is the second time in one year that the Japanese government has succumbed to malware. In October 2011, systems used by members of the Japanese Parliament were infected after an official opened a malicious email.
A researcher for security firm Sophos said that the firm had no specifics of the latest Japanese case as yet, but offered this pertinent bit of advice:
“Clearly all government departments, military contractors and businesses need to understand that they could potentially be on somebody’s target list,” said Sophos security researcher Graham Cluley.
