The Japanese media giant Nikkei has suffered a data breach after malware infected an employee’s computer. The company’s Slack messaging platform had become compromised, exposing the personal information of over 17,000 employees and business partners.
A statement from Nikkei indicates: “No leakage of information related to sources or reporting activities has been confirmed. We take this incident seriously and will further strengthen personal information management to prevent any recurrence.”
The attack, whilst a form of ransomware, was a more focused form of data exfiltration, where stolen information becomes the real leverage.
Looking into this latest cybersecurity issue for Digital Journal is Mayank Kumar, Founding AI Engineer at DeepTempo.
According to Kumar there is a common pattern with the form of attack: “The Nikkei breach is a textbook example of the modern attack lifecycle, which pivots from a compromised endpoint directly to a high-value SaaS application. The initial malware infection was just a foothold.”
So what was the modus operandi for the cyberattack? Kumar says: “The true objective was to steal valid credentials, allowing attackers to “live off the land” and blend seamlessly into normal business activities. Once inside Slack, they appeared to be legitimate employees, rendering signature-based or rule based tools completely blind.”
As to the attack specifics, Kumar calls out: “For a SIEM (security information management), the login was valid, so no rule would fire but, for an NDR (network detection response), the traffic was encrypted, making payload inspection impossible. And even for a UEBA, the activity might not have been anomalous enough to breach a static threshold, especially if the attacker moved “low and slow”.”
An essential component of cybersecurity is a security information and event management (SIEM) solution. These solutions collect, aggregate, and analyse large volumes of data from organisation-wide applications, devices, servers, and users in real time.
There are lessons to be learned, explains Kumar, and these will require businesses to form their security quite significantly. He recommends: “This is precisely why detection must evolve from looking for known “bads” to recognizing malicious intent as it emerges. The critical challenge is no longer just stopping malware, it is about detecting an authenticated user whose intent e.g., scraping 17,000 records, is fundamentally different from how the system routinely operates.”
Kuman closes his assessment with: “This requires a new approach that can identify subtle attacker progression patterns, even within encrypted traffic, and adapt automatically as attackers change their methods. A stolen password should be a minor alert, not a catastrophic breach.”
This is not the only incident to strike Nikkei. In September 2019, Nikkei lost approximately $29 million in a business email compromise attack, which occurred after an employee was tricked by scammers posing as a Nikkei executive into sending the funds to a bank account they controlled.
