A subsidiary of Japanese industrial conglomerate Toshiba said its European operations were hit by a cyber attack earlier this month that appeared to have been perpetrated by the hacker group DarkSide.
DarkSide has been blamed by the FBI for the ransomware attack on the Colonial petroleum pipeline last week that caused a five-day shutdown of the critical US oil artery and a rise in fuel prices.
Toshiba Tec, which sells point-of-sale systems for retailers, said in a statement on Friday that the impact of the May 4 cyber attack appeared to be limited to its European operations. While it has not confirmed any leakage of client information, Toshiba Tec warned that there was a “high possibility” certain details and data have been released by the hacker group.
“We will begin restoring operations for where we have been able to confirm valid back-up data,” it said.
Masaharu Kamo, an executive officer at Toshiba, said at a separate earnings briefing on Friday that the incident had not affected the group’s network and was limited to its subsidiary.
According to cyber security company Mitsui Bussan Secure Directions, DarkSide released a statement early on Friday confirming that it was behind the attack against a Toshiba base in France. The hacker group claimed to have accessed more than 740 gigabytes of data including those related to “executive management, indirect sales, projects, new business and trade, human resources, passports and personal information”.
Takashi Yoshikawa, senior malware analyst at MBSD, said it was unclear why Toshiba Tec was targeted. “Generally speaking, there is more damage to a company that operates plants and manufacturing facilities. The logic could be that it’s easier to seek a ransom by inflicting bigger damage,” he added.
DarkSide emerged as a leading ransomware outfit last August and is believed to be run from Russia by an experienced team of online criminals.
One cyber security expert, who works closely with the Japanese government and specialises in state-sponsored hacks, said attacks on companies in Japan were rampant and possibly at their highest frequency ever.
The person said Japanese companies represented a comparatively soft target for criminal hacker groups such as DarkSide versus businesses in the UK and US. That is largely because many Japanese groups do not treat the threat of cyber attack in the same way they assess other operational risks.
“There are exceptions, of course, but as a general statement, Japanese companies lay themselves open to attacks because managements underestimate how much of their time and resources are needed to build the right protections and protocols. When they are informed on that, they often do not take the advice,” he said.
The cyber attack came on the same day that Toshiba announced it would return an additional ¥150bn ($1.4bn) to shareholders and review its wide portfolio of assets in a bid to allay investors after rejecting a $20bn buyout bid from private equity group CVC.
Some of Toshiba’s largest shareholders believe that a private equity-backed deal that takes the company private remains a possibility, arguing that the main significance of the CVC proposal was the indication that such a deal was acceptable in at least some quarters of the Japanese government.
People close to other large private equity groups, including KKR and Bain, have said that those firms would strongly consider bids if there were a clear green light from the government.
Toshiba also said that Yoshiaki Fujimori, a senior executive adviser to CVC in Japan, will resign as non-executive director in June.