Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Big Cyberespionage Attack Against Japan Attributed to China

Japan's Classified Defense Networks Reportedly Suffered a Major Breach in 2020
Big Cyberespionage Attack Against Japan Attributed to China
U.S. Gen. Paul M. Nakasone, who heads Cyber Command, meets with Yasuhide Nakayama, then Japan's state minister of defense, in August 2021. (Image: U.S. Department of Defense)

Classified military networks run by Japan reportedly suffered a massive breach in 2020 at the hands of a Chinese cyberespionage group that proved tough to eject even after being discovered.

Hackers accessed Ministry of Defense plans as well as information about military capabilities and shortcomings, unnamed senior U.S. officials told The Washington Post.

In a Monday report that reveals the breach publicly for the first time, the newspaper reported that the network penetration was so serious that both Army Gen. Paul M. Nakasone, who heads the National Security Agency and U.S. Cyber Command, and Matthew Pottinger, who was then the White House deputy national security adviser, "raced to Tokyo" to brief the defense minister.

The Japanese government said it could not confirm if confidential information had been leaked due to the intrusion, Japanese Chief Cabinet Secretary Hirokazu Matsuno said at a regularly scheduled press briefing on Tuesday.

Matsuno said there continues to be "close collaboration between Japan and the United States" on cybersecurity matters.

Speaking on background, U.S. defense officials told the Post that in 2021, the White House didn't think Japan was doing enough to seal its networks against Chinese hackers. They said while Tokyo has made notable strides since, shortcomings continue and could imperil intelligence sharing between the Pentagon and Japan's Defense Ministry at a time when the rising threat posed by China demands even closer collaboration.

Top National Security Threat

U.S. government networks haven't been immune to attacks attributed to Chinese espionage groups.

"China probably currently represents the broadest, most active and persistent cyberespionage threat to U.S. government and private sector networks," said the most recent annual report of worldwide threats to the national security of the United States, published by the Office of the Director of National Intelligence.

In May, cybersecurity experts said, a Chinese espionage group given the codename Storm-0558 by Microsoft began using forged tokens to gain access to Exchange and Outlook email accounts hosted online by Microsoft for 25 different organizations worldwide. Victims of the attack campaign, which wasn't discovered until last month, included Western European governments as well as the U.S. Commerce and State departments, including the U.S. ambassador to China.

These are far from the first technically sophisticated online attacks to have been attributed to China. Last October, hackers began targeting a zero-day vulnerability in Barracuda Email Security Gateway, designated as CVE-2023-2868.

The ESG-targeting attack campaign wasn't discovered by Barracuda until May 19, at which point it brought in Google's Mandiant incident response group to investigate (see: Hackers Exploited Zero-Day Bug for 8 Months, Barracuda Warns).

On Saturday, public broadcaster Japan Broadcasting Corp., known as NHK, first reported that the Japanese Cabinet Secretariat's Cybersecurity Center, which sets the country's cybersecurity policy, had been among the victims of the Barracuda ESG campaign.

Mandiant reported that it has "high confidence" that the group of attackers, which it now tracks as UNC4841, "is an espionage actor behind this wide-ranging campaign in support of the People's Republic of China."

Eradicating hackers from networks where they have gained a foothold has proven to be extremely challenging. "Following Barracuda's vulnerability disclosure and initial remediation actions, UNC4841 countered by moving rapidly to alter its malware, employ additional persistence mechanisms, and move laterally in an attempt to maintain access to compromised environments," Mandiant reported.

"This actor is characteristic of the changing nature of Chinese cyberespionage," said John Hultquist, chief analyst at Google Cloud's Mandiant incident response group. "Their activity has grown from loud, easily detected operations to careful and stealthy intrusions which will challenge even the most sophisticated security teams."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.