Japan is the world’s third largest economy. It attracts both criminal and nation-state cyberattacks. The effects of these attacks can be felt on a global scale.
The primary cause of cyberattacks against Japanese computer systems are the strength and quality of its manufacturing base. The size of Japanese manufacturers makes them an attractive target for criminal extortion. The quality of Japanese products makes the manufacturers’ IP an attractive target for nation-state attackers seeking to improve their own knowledge and economy.
The nature and effect of the attacks turns attacks against Japan into global events – as explained in a Rapid7 report (PDF) titled Japan and Its Global Business Footprint.
The geographical and geopolitical position of Japan places it adjacent and opposed to three of the world’s four greatest wielders of state-affiliated cyberattacks: to the east of China, the south of Russia, and close to North Korea. China and Russia have a history of using cyberespionage to steal IP for their own military or economic use. North Korea is more concerned with stealing money to support its government against global sanctions, but has been known to use ransomware to these ends. For both money and IP, Japan is an attractive target.
Geopolitically, Japan is part of the western coalition, and has its own problems with Russia in the territorial dispute over the Kuril Islands. Its support for Ukraine against Russia likely increases any geopolitical tensions with Russia, but there is relatively little evidence of direct Russian geopolitical retribution against Japan.
Two possibilities noted by Rapid7 include the Killnet DDoS attacks against the websites of Japanese government organizations and private sector companies in September 2022 (The Japan Times), and the earlier ransomware attack against Toyota in February 2022. The ransomware attack followed the Russian ambassador’s warning to Japan not to support western sanctions over Ukraine, and has led to suspicion (not proof) that there may have been Russian state involvement.
Outside of geopolitics, it is the nature and importance of globalism and the global supply chain that gives attacks against Japan their global relevance. Japanese manufacturers have many subsidiaries outside of Japan. Smaller subsidiaries are likely to be less well-defended than their parent companies and can be used as the entry route taken by attackers.
The report notes two further reasons that make this non-Japan route attractive or open to attackers (both criminal and nation state). The first is language. Japanese is widely spoken in Japan, but almost nowhere else, where English is the global business language. For foreign attackers, it is easier to compose a compelling phishing email in English than it is in Japanese.
“Generally speaking,” Paul Prudhomme, principal security analyst at Rapid7 (and author of the report) told SecurityWeek, “if you speak English, it is easier to send somebody a phishing email or some sort of other social engineering attack.” Foreign subsidiaries or suppliers are consequently a route used to attack Japanese firms. “If you’re a US or UK subsidiary of a Japanese company, you could be at higher risk simply by virtue of the fact that you speak English, which makes you easier to phish.”
The second is the nature of globalism and foreign acquisitions. “If the overseas subsidiary was an acquisition,” he continued, “perhaps that acquisition came with existing compromises or some sort of existing security issue. This is also a key vulnerability.”
Nation state attackers generally avoid causing damage – their primary intent is to steal information, often as quietly as possible. Criminals operate differently. Their purpose is to extort money by whatever means – and ransomware is the favored weapon. In extortion attacks that include encryption of both IT and OT, the purpose is to halt, and ransom, the manufacturing process.
Japanese manufacturers are particularly susceptible to this through the common use of ‘just in time manufacturing’. This is considered an efficient business process – supplies are not accrued and kept in storage until use, but rather are delivered directly to the production line. This releases funds otherwise tied up in stored stock warehouses.
The downside, however, is that there are no stock reserves. This leaves the firm particularly vulnerable to business disruption attacks – the effect is felt immediately. But this is just the beginning. If the manufacturer cannot produce new parts, they cannot be shipped to customers, and those customers may be located anywhere in the world.
The criminals are gambling that the speed of wide scale negative effects from a disruption attack against Japanese manufacturing will facilitate their extortion attempts.
It is the size of the Japanese economy that makes Japan an attractive target for cyberattacks, but it is globalism that makes the effects of those attacks a global issue. The attackers may be nation state actors or outright criminals. They will commonly attack through non-Japanese affiliates or subsidiaries, but the effect of the attacks will reach beyond Japan through exported Japanese manufacturing parts.
The biggest single take-away from Rapid7’s report is that regardless of your organization’s location, if you do business with Japan, you need to consider the ramifications of Japan’s global business footprint and the cybersecurity posture of your Japanese partner or parent. “I cannot emphasize this enough,” said Prudhomme. “With these large and well-known Japanese brands, the attackers will often go after the overseas subsidiaries or affiliates, and then use the initial footholds to move laterally into the parent company in Japan.”