Chinese hackers working on computer showing penetration of Japan military networks

Former Military Officials: Chinese Hackers Penetrated Japanese Military Networks in 2020, Maintained Presence Into 2021

Speaking under condition of anonymity, former United States military officials have told the Washington Post that state-backed Chinese hackers made their way deep into Japan’s military networks in 2020 in a breach described as “shockingly bad.” Japan’s defense minister was reportedly briefed, but the hackers retained significant access until at least November 2021.

The sources say that the Chinese hackers combed Japan’s military networks over this extended period in search of military plans, documentation of capabilities, and assessments of vulnerabilities. The discovery may be hampering the sharing of intelligence between the US and Japan, which is a critically important US military ally in the Asia Pacific region.

Chinese hackers showing more interest in an increasingly well-armed Japan

Since the end of World War II, Japan and the US have mostly operated under “sword and shield” security treaties that limit Tokyo to providing for its own immediate self-defense while the US patrols and secures the Pacific. That has begun to change recently, as Japan has announced a new national security strategy that includes purchasing missiles and counterstrike capabilities that can reach mainland China while also expanding US military access to get regiments physically closer to Taiwan.

For their part, Chinese hackers have been testing US allies in the region in seeming preparation for a potential military conflict. The NSA discovered that Japan’s military networks had been breached in the fall of 2020, in a campaign described as “deep and persistent.” NSA head Gen. Paul Nakasone and White House deputy national security adviser Matthew Pottinger reportedly raced to Tokyo to brief Japan’s defense minister, who in turn put them in touch with the prime minister.

The officials left Japan with the feeling that the breach would be handled, but follow-up in early 2021 indicated that the Chinese hackers were still roaming Japan’s military networks. Serious action began in spring of 2021, when the one-two punch of the massive Microsoft Exchange breach and the attack on Colonial Pipeline seemed to finally wake Tokyo up. But officials there were leery of directly allowing the US onto military networks (as has happened in Ukraine and other countries), and a compromise had to be reached involving domestic teams doing most of the cleanup with outside guidance from an NSA/Cyber Command team.

Further follow-up in the fall of 2021 found that this approach was not making sufficient progress to keep the Chinese hackers out of Japan’s military networks. This prompted another high-level diplomatic visit from the US to Tokyo, revamping the approach with the assistance of newly appointed national security adviser Takeo Akiba. Japan then launched its own Cyber Command and committed to spending some $7 billion over five years on cybersecurity response capability.

Some of the lag in the cleanup can be attributed to a well-founded lack of trust in US intelligence, at least in terms of granting privileged access to military networks. The Snowden leaks of 2013 made clear that the US is not above spying on its own allies, and officials in this case were not able to disclose to the Japanese exactly how the NSA knew the Chinese hackers had breached their systems.

Military networks throughout the Pacific tested by China’s state-backed hackers

The simmering conflict over Taiwan is the single biggest issue, but China has made broad claims of ownership of territory in the South China Sea that have stepped on the toes of numerous other nations. The US military does not directly take a side in these claims, but does send ships and patrols to contested areas to “ensure freedom of navigation” and has provided equipment to some of these nations.

Chinese hackers thus have a broad intelligence gathering interest in what has gradually become a more unstable region, and other reports from anonymous officials indicate they may be seeding military networks in the Pacific with “kill switch” malware to be activated in the event of a confrontation.

As Tom Kellermann, SVP of cyber strategy at Contrast Security, observes: “The QUAD military alliance is under siege by the PLA.  The siege began in earnest when US Navy networks were breached in Guam and since then the attacks have escalated.  These pulses will serve as a harbinger for the invasion of Taiwan where cyberattacks will be the tip of the spear.”

It is unclear if Japan’s military networks were hit by that malware campaign, but it was found in Guam and in unspecified other parts of the US where civilian critical infrastructure overlaps with the utilities that power military bases.

The U.S., Japan and South Korea are in the midst of putting together a summit to work out a new mutual security pact and improve communications on potentially serious issues. A US official has disclosed that this could include new trilateral training exercises and improvements to missile defense systems in addition to addressing cybersecurity issues.

Japanese Defense Minister Yasukazu Hamada would not confirm that any sensitive information had been lost to Chinese hackers, but did say that there were no cases of military networks being disrupted due to a cyber attack.