Japan-based systems integrator NTT Communications has disclosed a recent data breach that it said impacted hundreds of customers.
The total affected comes to as many as 621 customers, the company said, but security experts worry about the impacts of the data breach due to the company’s positioning as a systems integrator, which could create widespread ramifications for its supply-chain partners. NTT Communications is a subsidiary of Fortune 500 company Nippon Telegraph and Telephone Corp., the largest telecommunications company in Japan (and one of the largest worldwide).
“At this point, we have completed initial actions such as stopping the server that served as a stepping stone [for the breach], but we will contact customers who may have been affected in order. At the same time, we are implementing measures to prevent recurrence,” according to the company’s translated data-breach disclosure.
The company said on Thursday that the data breach occurred on May 7. The hack was detected by the company on May 11 and has since been remediated. NTT Communications did not clarify what kind of data may have been accessed, nor did it mention how attackers were able to move laterally on the network. Threatpost has reached out for further clarification.
However, local media reports say that information leaked may have involved the Japan Self-Defense Forces (i.e., Japan’s military forces).
NTT Communications first discovered the intrusion after detecting suspicious activity on its Active Directory server. According to its data-breach notice, attackers initially targeted a cloud server within its Singapore operations (it is unclear the method that hackers used for the initial infection). This was then used as a stepping stone to reach several other servers within the company’s service-management segment, including NTT Communications’ Active Directory server and a construction-information management server. NTT Communications believes that attackers used the latter server to reach its Japanese hosting and cloud services, and ultimately steal files.
“BHE [short for Biz Hosting Enterprise, NTT’s cloud hosting service] has transitioned the environment of its customers to new services,” according to its data-breach notice. “We believe that Server B [the cloud server], which was being removed due to the migration, the overseas operation server, and some communication routes were used as the intrusion route for the attackers.”
The company said it has also discovered and blocked external websites that were being used by the attackers to communicate with the malware. Moving forward, NTT Communications said it will continue to investigate the internal server group and will take steps to further improve security measures.
However, Joseph Carson, chief security scientist and Advisory CISO at Thycotic, told Threatpost that the NTT Communications data breach could have “serious cascading impacts,” particularly given the compromise of the Active Directory server, which is a popular directory service developed by Microsoft for Windows domain networks.
“Once an Active Directory Server is compromised, or an attacker has gained Domain Admin access (keys to the kingdom), it is game over,” said Carson. “That is when you start to unplug from the internet and begin a deep digital forensics, and ultimately, a massive clean-up. If your AD is completely compromised, then a true eradication of the incident likely means rebuilding your Active Directory, which for any large organization is not an easy feat.”
Other security experts worry about the ripple-effect impacts of the data breach on NTT Communications’ supply-chain partners.
“Major IT and security providers often have deep access to customer environments and sensitive information, and this makes service providers and software companies prime targets for attack,” Jack Mannino, CEO at nVisium, told Threatpost. “These types of attacks often go unnoticed for extended periods and pose a risk across the IT supply chain.”
Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On June 3 at 2 p.m. ET, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, Taming the Unmanaged and IoT Device Tsunami. Get exclusive insights on how to manage this new and growing attack surface. Please register here for this sponsored webinar.