Japan’s cyber security agency suffers months-long breach

The organisation responsible for Japan’s national defences against cyber attacks has itself been infiltrated by hackers, who may have gained access to sensitive data for as much as nine months.

According to three government and private sector sources familiar with the situation, Chinese state-backed hackers were believed to be behind the attack on Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC), which began last autumn and was not detected until June.

The discovery of the incident and the sensitivity of the target comes at a time of unprecedented scrutiny of Japan’s vulnerability to cyber attack. Tokyo is embarking on deeper military co-operation with the US and regional allies, including work on a joint fighter project with the UK and Italy, in which top secret technological data will be exchanged.

Government cyber security experts in both the US and UK have expressed strong reservations about Japan’s ability to safely handle data.

This month the Washington Post reported the discovery of a massive attack on Japan’s defence networks by Chinese military hackers carried out in late 2020. In July, the port of Nagoya was temporarily closed down in what was believed to be a Russian ransomeware attack. But concerns have been raised at the highest levels in Tokyo over whether the incident was part of an attempt by state actors such as China to test Japan’s defences.

NISC announced in early August that some personal data linked to email exchanges between October last year and June this year may have leaked after its email system was hacked. The breach appeared to have been made via the email account of an individual staff member, NISC said.

NISC sent a series of emailed notices to private and governmental partners in Japan and overseas warning them that data might have been compromised. In the public statement, NISC said that following an investigation by outside specialists it had “just discovered that email data may have leaked outside” and that it had notified people who were involved in the email exchanges.

NISC is a unit that sits within the Cabinet Office in the top echelons of the Japanese government, and two people familiar with the attack said it had triggered an investigation into whether the access gained had allowed hackers to target other, highly sensitive servers within the same government building in central Tokyo.

An official at NISC said its investigation had concluded that only information on its email system was compromised. The official declined to comment on whether the system was believed to have been invaded by Chinese state-sponsored hackers.

One person familiar with the matter said the incident appeared to have had Chinese backing. “There is always a small element of doubt, but given the style of attack and the nature of the target itself, we can say with almost complete certainty that this originated with a state actor, and that the actor was most probably China,” the person said.

Another said they believed China was “without doubt” behind the attack.

China’s foreign affairs ministry dismissed claims that the country was behind the attack. It said the NISC statement did not mention China and urged Tokyo to look instead at the US, which it said was known for spying on allies.

“WikiLeaks previously disclosed that the US carried out cyber espionage against Japan, including cabinet members,” China’s foreign ministry said. “Could they [Japan’s cyber experts] be focusing their attention in the wrong direction?”

In 2015, the WikiLeaks website published documents allegedly showing the US spied on Japanese cabinet officials, banks and companies.

Efforts by Japan to bolster its powers to defend against cyber attacks have been constrained by a lack of personnel and digital expertise.

Government plans have focused on increasing the size and training facilities for the cyber unit that sits within Japan’s Self-Defense Forces. At the end of March, the group had just under 900 members, compared with the estimated 6,200 in its US counterpart and at least 30,000 in China.

Additional reporting by Kana Inagaki in Tokyo and Joe Leahy in Beijing