The cyber threat landscape in Japan – risks, threats and mitigation guidance
In our recent research “Better Safe Than Sorry”, we reported how the number of exposed OT/ICS devices in Japan grew by 372% over the past six years. During this time, several notable cyber-attacks targeted businesses and government entities in Japan.
The substantial increase in exposed OT/ICS combined with the recent cyber-attacks in Japan has prompted us to give a deeper look at the current threat landscape in the country. OT and IoT devices are often insecure by design – so these attacks are a wakeup call to improve cyber resilience.
Major cybersecurity attacks in Japan: 2020 to 2024
In April 2024, the Hunters International ransomware attack targeted the optical manufacturer Hoya. Production and order processing capabilities were shut down as attackers exfiltrated 1.7 million files (roughly 2TB of data) — and demanded $10 million in payment.
In July 2023, the LockBit ransomware attack on the port of Nagoya impacted its cargo loading and unloading operations on 15,000 containers, including those of Toyota.
Ransomware is not the only type of cyberattack affecting the country. Recently, Japanese media has confirmed that Chinese threat actors compromised confidential Japanese government networks in 2020. Similar operations also took place in 2022 and 2023 leveraging vulnerable security appliances and other devices.
Risks: Exposed devices
The Shodan search engine reports almost 17 million internet-accessible devices in Japan, including VPN routers with exposed management interfaces and building automation systems.
Most of these devices are routers, networking equipment and security appliances which are expected to be internet-accessible (though not the management interfaces). There are also more than 2 million connected IP cameras, over 150,000 printers and thousands of other OT and IoT devices. The figure below shows a breakdown of these devices per type and exposed port/service.
In terms of OT devices, nearly a third use the popular Modbus protocol which is the most attacked OT protocol, according to our 2023 Threat Roundup. There are also a significant number of devices using building automation protocols, such as BACnet, Fox and KNX. Plus, there are devices using proprietary protocols, including Omron FINS and Unitronics PCOM which were recently targeted by custom malware and hacktivists.
These devices can be directly attacked by opportunistic or targeted attackers who can interact with protocols that require no authentication. In some cases, they can directly access human-machine interfaces (HMIs) that provide start/stop or configuration capabilities, such as the one shown here for one of the devices found in Japan.
Alternatively, some devices include firmware version information that can be used by attackers to match existing exploitable vulnerabilities, such as Siemens S7 programmable logic controllers (PLCs).
Threats: malicious actors and ransomware
Forescout Research – Vedere Lab’s Threat Actor Knowledgebase has information on 68 threat actors that target or have targeted Japan. Most of these actors have targeted government agencies (75%), financial services (66%) or energy companies (60%), but other industries have also been attacked.
More than half of these actors are cyber-criminals with a main goal of financial gain. Just under half (47%) are state-sponsored actors focused on intelligence gathering, espionage and intellectual property theft. Finally, around 2% are hacktivists executing denial of service attacks, sabotage or destruction operations. Thirty-eight percent of the actors are from China, 31% are based in Russia and 4% are North Korean.
Japan was the sixteenth most attacked country by ransomware groups in 2023 with 45 incidents perpetrated by 14 groups. Manufacturing was the most targeted industry (31%), followed by technology (19%) and services (10%). There have been seven more ransomware incidents reported in early 2024.
Mitigation guidance
Japan is the world’s fourth largest economy by nominal GDP. It is a powerhouse of advanced manufacturing and international trade — and an important player in geopolitics, especially in Asia. Organizations operating in the country are likely to be targeted by cybercriminals seeking money, hacktivists trying to spread a political message and state actors serving foreign interests.
To manage the risk, organizations should proactively identify and reduce their cyber exposure. Due to the increased scope of attacks on unmanaged devices, we recommend organizations in Japan focus on the following three strategic areas of cybersecurity:
- Risk & Exposure Management
Begin by conducting a thorough assessment of every asset connected to your network, especially OT and IoT assets that are often vulnerable. Scrutinize its security posture, known vulnerabilities, credentials and open ports. Replace default and easily guessable credentials with strong, unique passwords for each device. Disable unused services, patch vulnerabilities promptly, and adopt a risk-based approach for mitigation. Leverage automated controls within the entire enterprise rather than in isolated silos.
- Network Security
Avoid exposing unmanaged devices directly to the internet. Opt for network segmentation to isolate IT, IoT and OT devices, restricting network connections to specifically designated management and engineering workstations. Segmentation should extend not only between IT and OT but also within these networks to thwart lateral movement and data exfiltration. Implement restrictions on external communication paths and employ isolation or containment measures for vulnerable devices as a mitigating control, especially when immediate patching is challenging.
- Threat Detection & Response
Utilize an IoT/OT-capable monitoring solution to detect and alert malicious indicators and behaviors. Monitor internal systems and communications for known hostile actions, such as vulnerability exploitation, password guessing and unauthorized use of OT protocols. Alert network operators to anomalous and malformed traffic. Consider solutions that collect telemetry and logs from diverse sources that correlate attack signals for analyst investigation. These solutions offer the capability to automate response actions across the enterprise.
We emphasize that traditional cyber hygiene practices must be applied comprehensively across all network assets. Prioritize the most critical attack surfaces based on up-to-date threat and business intelligence for a robust cybersecurity posture.