Japanese government agencies suffer data breaches after Fujitsu hack

Offices of multiple Japanese agencies were breached via Fujitsu's "ProjectWEB" information sharing tool.

Fujitsu states that attackers gained unauthorized access to projects that used ProjectWEB, and stole some customer data.

It is not yet clear if this breach occurred because of a vulnerability exploit, or a targeted supply-chain attack, and an investigation is ongoing.

Attackers accessed at least 76,000 email addresses

Yesterday, the Ministry of Land, Infrastructure, Transport and Tourism and the National Cyber ​​Security Center (NISC) of Japan announced that attackers were able to obtain inside information via Fujitsu's information-sharing tool.

Fujitsu also said that attackers had gained unauthorized access to projects that used ProjectWEB, and stolen proprietary data.

Fujitsu's ProjectWEB enables companies and organizations to exchange information internally, with project managers and stakeholders, for example.

By gaining unauthorized access to government systems via ProjectWEB, attackers were able to obtain at least 76,000 e-mail addresses, and proprietary information, including the e-mail system settings, as confirmed by the Ministry of Land, Infrastructure, Transport, and Tourism.

As of 2009, the tool was in widespread use by approximately 7,800 projects, according to a Fujitsu document seen by BleepingComputer:

The exposed email addresses included those of external parties, such as members of the Council of Experts, who have been individually notified.

Japanese press reported Narita International Airport, located near Tokyo, was impacted as well since Fujitsu attackers managed to steal air traffic control data, flight schedules, and information on business operations.

Additionally, Japan's Ministry of Foreign Affairs suffered from a data leak in which some study materials were exposed to unauthorized actors.

As such, Cabinet Secretariat's national cybersecurity center (NISC) issued multiple advisories [1, 2] alerting government agencies and critical infrastructure organizations using Fujitsu's tool to check for signs of unauthorized access and information leakage.

Fujitsu suspends ProjectWEB online portal

As seen by BleepingComputer, Fujitsu has suspended its ProjectWEB portal while the scope and cause of this incident are being fully investigated.

The URL to the login portal has been timing out when access is attempted:

Since the ProjectWEB portal was hosted on the "soln.jp" domain, one way to check if your organization has been impacted, or was a customer at some point, is to look for traces of the domain or the aforementioned URL in your network logs.

Fujitsu states they will be notifying the relevant authorities and work with their customers to identify the cause of the breach, in a press release.

BleepingComputer reached out to Fujitsu with specific questions related to the incident, and we were told:

"Fujitsu can confirm unauthorized access to 'Project WEB,' a collaboration & project management software, used for Japanese-based projects."

"Fujitsu is currently conducting a thorough review of this incident, and we are in close consultation with the Japanese authorities. As a precautionary measure, we have suspended [the] use of this tool, and we have informed any potentially impacted customers," a Fujitsu spokesperson told BleepingComputer.

Although disclosure of technical details behind this attack is pending, the incident has echoes of the Accellion file sharing tool hack which impacted hundreds of customer organizations.

Update 04:30 AM ET: Added statement from Fujitsu received after publishing.