Shortly after the alert sounded at 9:10 p.m., Yahoo Japan Corp.’s risk team knew it had a problem. More than 20 million usernames and passwords belonging to its customers were being dumped into a file, primed to be stolen.
“What the hell are you doing?” the team asked the Yahoo employee whose account was capturing the encrypted data. The download was blocked immediately, Motonobu Koh, a risk manager, recalled in a recent interview. Then the worker replied: “I’m not doing anything. I’m at home.”
The April 2013 breach of Yahoo Japan, controlled by billionaire Masayoshi Son’s SoftBank Corp., was an attempt to grab the user identities of the nation’s most visited website. The operation was similar in scale to the 2011 assault on U.S. defense contractor Lockheed Martin Corp., said Itsuro Nishimoto, chief technology officer at LAC Co., Japan’s first cybersecurity response center.
Now, after a series of hacks on targets from the nation’s space agency and its largest defense contractor to Bitcoin exchange operator Mt. Gox, Japan’s government is set to pass a law in fall to beef up cybersecurity in the world’s third-largest economy. Less than 25 percent of Japanese companies have a business continuity plan in case of a cyber-attack, according to the National Information Security Center, a government agency.
“The biggest problem -- and the biggest ally of cyber-attackers aiming at Japan -- is the widespread belief that ‘it can’t happen here,’” said William Saito, an information technology strategy adviser to the nation’s Cabinet. While the U.S. has named Internet attacks among its biggest threats, awareness in Japan is still “very low,” he said.
Companies in Japan are among the world’s most vulnerable to an attack, and threats against state entities have more than doubled since 2010 to one every 30 seconds, according to the Ponemon Institute, a U.S.-based information security research center, and Japanese government data.
The number of attacks in Japan surpassed 1 million in 2012, more than doubling from two years earlier, with the government trade negotiations team, the lower house of parliament and a nuclear power research institute among those hit, according to state data.
Only about half of Japanese companies have an IT security policy, according to the National Information Security Center. The country has a shortage of 80,000 information security engineers, and about 60 percent of the existing ones lack the skills to counter online threats, the agency, known as NISC, said in a cybersecurity strategy report last year.
The proposed new law would name NISC as the central cybersecurity coordinator reporting directly to Japan’s Cabinet, said Takuya Hirai, a lawmaker with the ruling Liberal Democratic Party who drafted the bill. It would also require companies, which often don’t disclose hacking attacks to avoid negative publicity, to report all such incidents.
The bill was spurred in part by the need to prepare for the 2020 Olympic Games in Tokyo, Hirai said in an interview. It has passed the lower house of the parliament and is awaiting upper-house action during the coming fall legislative session.
The law will come too late for Tokyo-based Mt. Gox, once the world’s largest Bitcoin exchange. Lax security allowed hackers to steal about $473 million worth of the virtual currency, leading the company to file for bankruptcy in February. Sony Corp. was attacked at least 21 times in 2011, including a raid that stole personal data from about 77 million users of its PlayStation Network online service, according to the Open Security Foundation, based in Glen Allen, Virginia.
Even the Japan Basketball Association isn’t safe. Three attempts were made on its website since mid-February, which involved malicious code that redirected visitors to bugged servers, said Joji Hamada, a senior security response manager at Symantec Corp. in Tokyo. Targets may have included Finance Minister Taro Aso, who served as the association’s chairman, or members of the International Olympic Committee who might visit the site, Hamada said.
“One thing we’re pretty sure about is that the end goal wasn’t the JBA,” Hamada said.
Still, attacks against defense-related targets may be the biggest driver behind the proposed new cybersecurity law.
In September 2011, the Yomiuri newspaper reported that computers and servers at Mitsubishi Heavy Industries Ltd., Japan’s biggest defense contractor, were infiltrated, potentially compromising data on missile technology and nuclear reactors.
The revelation was “a huge slap” and an embarrassment for Japan, said Paul Kallender, an associate researcher at the Global Security Research Institute at Keio University in Tokyo. Mitsubishi Heavy, which is involved in projects from Lockheed Martin’s F-35 fighter plane to nuclear reactors for export to Turkey, is at the “apex of Japan’s strategic and industrial base,” he said.
A spokesman for Mitsubishi Heavy said the company had no further comments on the incidents in 2011, other than affirming its commitment to best security practices. He asked not to be named, citing company policy.
The Mitsubishi Heavy breach was a watershed moment, according to LAC’s Nishimoto, who said his company’s warnings about online spying against Japan had previously fallen on deaf ears.
“People understood for the first time that cyber-espionage is actually also happening in Japan,” he said.
That still didn’t prevent more attacks. Starting in January 2012, the Japan Aerospace Exploration Agency, the country’s equivalent of NASA, was breached three times over a 15-month span, according to the agency’s website.
The attacks on JAXA, as the space agency is known, may have been orchestrated by North Korea seeking information on rockets for use in its missile program, Nishimoto said. The initial attacks came as the agency was preparing to launch a next-generation rocket, said a person familiar with the matter, who asked not to be named for national security reasons. The hackers returned after the rocket failed to launch, looking for information on how JAXA was resolving the issue, the person said.
A spokesman for JAXA said he couldn’t comment on the attacks. He asked not to be named, citing agency policy.
Some of the strikes on aerospace, energy and military targets in Japan and India in recent years were carried out by a sophisticated group of hackers using tools designed to mask their location, Tokyo-based security firm Trend Micro Inc. said in a 2012 report that nicknamed the group “LuckyCat.” One member of the group is a well-known Chinese hacker nicknamed “dang0102,” Trend Micro said.
Cyberspying isn’t just a national-security matter but also a threat to Japan Inc.’s competitiveness, said Saito, the government adviser.
Several unlisted websites and file-sharing portals hosted in China were discovered recently to contain hundreds of product designs and specifications of Japanese manufacturers, said two people familiar with the monitoring, asking not to be named because the research is a national security matter.
While it’s hard to pinpoint where the growing attacks against Japan are coming from, security companies agree that most of the servers used by hackers are in China and that viruses are often written using Chinese-language operating systems. The hackers may just be using the servers, and groups from more than one country are involved, Nishimoto said.
The attacks leveled at Japan are on the same scale as those that prompted the U.S. to accuse China of state-backed industrial espionage, Nishimoto said. The U.S. government indicted five Chinese military officials in May for allegedly stealing trade secrets from American companies. China has denied the accusations.
At Yahoo Japan, Koh, a principal at the chief executive officer’s risk management office, said he has a pretty good idea where his adversaries came from. He declined to give specifics, citing the burden of proof.
Just as Yahoo Japan had finished investigating the April 2013 breach, and ran tests to patch the holes used to enter its network, the attackers returned in May, exploiting a different route into the company’s system. They also changed tack, copying smaller batches. Koh’s unit detected them and again blocked their data mining, but not before they made off with data belonging to 1.5 million customers, he said.
“We had shut them out in April, but they found another backdoor,” Koh said. “As an engineer, it’s pretty hard to swallow.”
By the time the attackers returned a third time last October, the company knew what it was facing and cut off the intruders at the start, preventing a breach. It was a “coordinated, professional group, which operated like a company” with the aim of stealing trade secrets, Koh said.
In all three attacks, the group used malware that was designed specifically for Yahoo Japan’s computers and had the company’s name written into its code, he said.
To Saito, the attacks against Japanese targets are both a threat and an opportunity. Domestic companies should see IT security as a potential competitive advantage and an industry ripe for expansion, he said.
“At this point, there only two types of companies in Japan: the ones that’ve been attacked and the ones that just don’t know it yet,” Saito said. “There’s no shame in that. We just have to realize we’re all victims here, and we need to work together to change it.”