Japan Cyber Threat Landscape report (H1 2019)October 22, 2019
Japan: currently the host of the multi-national sporting event, the Rugby World Cup, and soon to be host of the Olympics 2020. Home to such events is placing Japan on the international stage. Its economy too attracts attention: Japan has the third largest economy in the world, with prominent sectors including, but not limited to electronics and goods, manufacturing (especially high-tech items), financial services and automobiles.
Geopolitically, Japan’s closest ally is the United States and it’s involved in or has close external relations with several international and regional organizations, including the Asia-pacific Economic Cooperation (APEC), Association of Southeast Asian Nations (ASEAN), the G8, Organization for Economic Cooperations and Development (OECD), the United Nations, and the World Trade Organization (WTO).
More recently, however, Japan holds a difficult position in the east Asia region: it’s status of its longstanding and close security relationship with the U.S. has been questioned by President Trump, and it maintains tense relationships with both North Korea and China.
Japan’s advanced economy and established financial sector, coupled with its geopolitical relationships, has made it a key target for a variety of cyber attacks.
Japan Cyber Threat Landscape Overview
This blog looks at the publicly reported cyber incidents affecting Japanese entities between the first and second quarters of 2019. In particular, we highlight the sectors that experienced attacks, speculate why they were attacked, but more importantly, how this changes the country’s cyber threat landscape moving forwards.
Figure 1: Attacks targeting Japan by attack type
Financially motivated activity was the most reported upon attack type, however, some of these incidents relate to ongoing campaigns or events which occurred in the previous year. Reported espionage activity is absent from this reporting period, but this is unlikely to represent a wider shift in the landscape as it is likely attacks occurred, but have not yet been publicly reported.
Figure 2: Attacks targeting Japan by sector
Financial and technology organizations, including cryptocurrency-related, were the two most targeted sectors in this reporting period. This aligns with the regional increase in attacks against cryptocurrency-related entities (exchanges, wallets, mining organizations). The automotive, manufacturing, and technology sectors were also targeted during this period. Japan’s position as a key player in these sectors likely drives economic and intellectual property espionage operations. Retail was also highly targeted: the Japanese e- commerce sector has been growing, making it a target for espionage and financially motivated attacks.
Let’s dig into each of these top findings:
- Financially motivated attacks in Japan
During this reporting period, details were released about a likely Russia-associated attack on the Japanese cryptocurrency exchange CoinCheck: given the region’s increasing normalization of cryptocurrency, combined with a lack of regulation and low levels of consumer awareness, cybercriminals have been increasingly targeting exchanges and wallets. This was also evidenced in the “Beapy” malicious cryptominer campaign which targeted individuals to install malicious cryptocurrency miners on devices, distributed the NRSMiner. Additionally, the “Redaman” banking trojan, the “Ursnif” trojan, and the internet-of- things (IoT) malware “Bashlite” all pivoted to target individuals in Japan. Traditionally, the language barrier has prevented these more common banking trojans from targeting Japanese individuals and entities; however, the malware-as-a-service market has increasingly allowed threat actors to target their own regions by creating their own lure emails.
- Automotive sector a victim of espionage operations
One incident reported on was an attack targeting Toyota Motor Corporation, who reportedly suffered a data breach that was linked to the Vietnamese state associated “APT32”. APT32 has previously targeted automotive and manufacturing sectors within the APAC region. This incident reflects Japan’s status as a key exporter of automobiles and consumer electronics, as well as the increasing dependence of Vietnam on Japanese investment, which will likely drive further cyber activity: in 2018 Japan became the biggest foreign investor in Vietnamese industry, and the two countries have a bilateral trade agreement. It is also worth noting that espionage incidents have occurred during this period and have not yet been publicly reported or identified.
2019 APAC Cyber Threat Forecast
- Geopolitical tensions may drive espionage operations: Tensions between Japan and China are likely to drive geopolitical espionage operations. Similarly, increasing tensions between South Korea and Japan could also lead to an increase in espionage activity: in July 2019, following South Korean warning shots at Russian warplanes which had entered the airspace above islands that both Japan and South Korea had laid claims to, Japan denounced South Korea’s warning shots as unacceptable. Relations between the two countries are therefore likely to deteriorate, and the US has offered to work as a mediator between both countries. Should a trilateral meeting or talks come to fruition, a surge in cyber espionage operations focused on Japan-South Korea relations and on the meeting can be expected.
- Hosting international sporting events, such as the Olympics 2020, could drive espionage and financially motivated attacks: Espionage operations at international events, such as the Olympic games, are typical: for instance, during the 2018 Winter Olympics nation-state threat actors used a malware dubbed Olympic Destroyer to disrupt the opening ceremony. Given Japan’s proximity to North Korea and China, and being a close ally to the US, it is possible for cyber espionage operators operating in the region to target Japan for strategic information related to the event, and for other threat actors with an intent to embarrass the Olympic committee or cause reputational damage to target the event for disruptive operations. Financially motivated activity, such as phishing campaigns, fraud, and banking trojans are also all common, as threat actors exploit the publicity surrounding the games to trick individuals into providing them with banking credentials or payment card details.
To stay up to date with our global threat intelligence, make sure to subscribe to our email list below.