Shortly after the alert sounded at 9:10 p.m., Yahoo Japan’s risk team knew it had a problem. Some 20 million user names and passwords were being dumped into a file that could then be stolen. “What the hell are you doing?” the team asked the employee whose account was copying the encrypted data, recalls risk manager Motonobu Koh. “I’m not doing anything,” the worker replied. “I’m at home.” The responders managed to block the download.
The April 2, 2013, breach of Yahoo Japan, controlled by SoftBank, was an attempt to grab the identities of visitors to Japan’s most-trafficked website. It remains one of the biggest attacks on the data of the Japanese public. Other targets in the past few years included Sony, defense contractor Mitsubishi Heavy Industries, the Japan Aerospace Exploration Agency, and once-preeminent Bitcoin exchange Mt. Gox.
In the coming months, Japan’s government is expected to pass a law designed to beef up the country’s surprisingly slack cybersecurity. Only about half of Japanese companies have an IT security policy, according to the National Information Security Center (NISC), a government agency. “The biggest problem, and the biggest ally of cyber attackers aiming at Japan, is the widespread belief that it can’t happen here,” says William Saito, an information technology strategy adviser to Prime Minister Shinzo Abe’s cabinet.
Companies in Japan are among the world’s most vulnerable, and hacking attacks on state entities have more than doubled since 2010 to one every 30 seconds, according to data from Japan’s government and the Ponemon Institute, a U.S.-based security researcher. Attacks in Japan surpassed 1 million in 2012. Among those hit: the government trade negotiations team, the lower house of Parliament, and a nuclear power research institute. Part of the problem, NISC said in a report last year, is that the country has a shortage of 80,000 information security engineers, and that most of the ones in place lack the skills to counter online threats.
The proposed law would name NISC the cabinet’s primary cybersecurity coordinator and require companies to report all incidents regardless of bad publicity. The legislation was spurred in part by the need to prepare for Tokyo’s 2020 Summer Olympic Games, says Takuya Hirai, a lawmaker with the ruling Liberal Democratic Party who drafted the bill. It passed the lower house and is awaiting a vote in the upper house.
While it’s hard to pinpoint where the growing attacks against Japan are coming from, security companies agree that most of the servers used by hackers are in China and that viruses are often written using Chinese-language operating systems. Although groups from more than one country appear to be involved and the hackers may just be using the servers, the attacks are on the same scale as those that prompted the U.S. to accuse China of state-backed industrial espionage, says Itsuro Nishimoto, chief technology officer at LAC, a Japanese cybersecurity consultant. (The Chinese government has denied the U.S. accusations.)
At Yahoo Japan, Koh says he has a good idea where his adversaries are from but declines to say. His experience helps illustrate the challenges that NISC and Japan’s companies will face. A month after the April 2013 breach, just as his team had finished its investigation and had patched flaws in its network, the attackers returned, exploiting a different system weakness. They also changed tack, copying smaller batches of data. Koh’s unit again blocked the attack, but not before the intruders made off with information belonging to 1.5 million customers. Last October the same intruders attacked for a third time but were repelled, says Koh. All three attacks used malware designed specifically for Yahoo Japan’s computers; the company’s name was written into the code.
“At this point there are only two types of companies in Japan: the ones that have been attacked, and the ones that just don’t know it yet,” says Saito, the government adviser. “There’s no shame in that. We just have to realize we’re all victims here, and we need to work together to change it.”