Cyber Incident Victim: Mitsubishi Electric Corporation
Date:
Jun 2019
Location:
Japan
Summary
Mitsubishi Electric experienced a cybersecurity breach involving unauthorized access by a third party, leading to potential data exfiltration. The attackers, suspected to be the Chinese-linked cyber-espionage group Tick (aka Bronze Butler), compromised systems through sophisticated methods including log deletion to obscure activities. Personal information of employees, recruitment applicants, and retirees—along with sensitive corporate documents related to government agencies and private-sector collaborations—were at risk of exposure. While investigations confirmed no leakage of highly confidential technical data or critical infrastructure details pertaining to defense, power, or railways, the incident impacted multiple domestic and international servers. The company notified affected individuals and authorities, though no direct damages were reported.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Mitsubishi Electric detected unauthorized network activity on June 28, 2019, triggering an investigation that revealed third-party data transmission from compromised terminals. The attackers employed advanced methods to delete operational logs on some devices, significantly delaying confirmation of the breach's scope until the company's public disclosure on January 20, 2020. Evidence suggested the intrusion originated through compromised accounts at Chinese affiliates before spreading to the corporate network, where threat actors targeted middle-management PCs with broad access privileges. Media reports attributed the attack to Chinese state-sponsored group Tick (also known as Bronze Butler or REDBALDKNIGHT), known for targeting Japanese industrial and infrastructure entities through spearphishing and zero-day exploits to steal intellectual property. The group's characteristic log-deletion tactics obstructed Mitsubishi's ability to determine whether approximately 200 MB of documents had been exfiltrated from affected terminals.
Potentially compromised data included personal information for 1,987 recruitment applicants, employment records for 4,566 current and former staff spanning 2011-2020, and 1,569 personnel system surveys from 2012 involving retired employees. Internal documents related to government collaborations with Japan's Ministry of Defense, Nuclear Regulatory Commission, and other agencies were also at risk, along with joint development materials with utility, railway, and telecommunications partners. Mitsubishi's investigation concluded no leakage occurred for defense equipment specifications, critical infrastructure technical data, or highly confidential business partner information. The company notified Japanese authorities, with Chief Cabinet Secretary Yoshihide Suga publicly confirming no compromise of defense or power infrastructure secrets. Mitsubishi initiated customer notifications regarding potential trade secret exposure while maintaining that no operational impacts or misuse of leaked data had been observed as of the disclosure date.