Japanese electronics and IT company NEC Corp disclosed a security breach today that took place more than three years ago, in December 2016.
The company’s admission comes after reports in Japanese media [1, 2, 3] that the company might have suffered a security breach but decided to keep it quiet.
Following these reports, and inquiries from ZDNet, NEC admitted to the security breach, but downplayed the severity of the intrusion.
Breach took place in 2016
In a short statement published on its website, the Japanese company said an attacker compromised its network in December 2016.
NEC said they failed to detect the intrusion until June 2017, when they finally spotted unauthorized encrypted traffic originating from one of its internal sytems.
The company said it managed to decrypt this traffic in July 2018. According to its investigations, the decrypted traffic revealed that the attacker exfiltrated 27,445 files from its defense business division.
NEC said the data stored in the stolen files did not contain any details about defensive projects or personal information for employees or business partners. The company also said it notified all affected parties of the breach back in 2018.
Two more Japanese defense contractors hacked
NEC now becomes the second Japanese defense contractor to admit to a security breach during the course of this month.
Mitsubishi Electric disclosed a similar security breach last week, after hackers used as zero-day in the Trend Micro antivirus to infiltrate its network.
In a press conference today, Japanese Defense Minister Taro Kono said Mitsubishi Electric and NEC are just two of the four Japanese defense contractors that have been hacked between 2016 and 2018. The Minister did not disclose the names of the other two companies.
Previously, Japanese media reported that the Mitsubishi Electric hack was carried out by a Chinese state-sponsored cyber-espionage group known as Tick. Although some Japanese news outlets reported that the same Tick group was behind the NEC attack, statements were based on an attribution-by-proxy, without any actual proof or confirmation from verified sources.