Rash of Cyber Threats on Japanese Targets Continues

Posted: 21st November 2013

Hacktivist collective Anonymous recently threatened 22 Japanese websites including prominent government agencies in protest against the annual Taiji dolphin hunt. Though action against these sites has not been observed, the threatened attacks are the latest of a tough few months for information security in Japan.

The timeline from Recorded Future and bulleted list below describes a series of events recently troubling Japanese threat intelligence teams:

And a quick summary:

  • September 17, Qualys reports Japanese media websites were compromised in watering hole attacks using an unpatched vulnerability in Internet Explorer (CVE-2013-3893).  Security firm FireEye named the zero-day “Operation Deputy Dog”.
  • September 18, the website of the Honker Union, a major PRC hacktivist group, posted urging cyber-attacks on September 18 and lists up about 270 Japanese entities as targets.
  • September 24, #OpLeakageJP announced by Japanese Anonymous member @4N0N_Lib3rt4 to protest nuclear power plant problems in Japan.
  • September 26, researchers at Kaspersky Lab release report on Icefog, an APT believed to be a squad of hackers from China, Japan, and South Korea. Attacks hit a variety of targets in Japan and South Korea from government agencies to strategic companies back to 2011.
  • October 9, second critical vulnerability patched for Internet ExplorerMicrosoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3897). The exploit “was designed to target only Internet Explorer 8 on Windows XP for the Korean and Japanese language-based users.”
  • October 15, a criminal campaign using Trojan Nemim, around since 2006, to gather data from the United States and Japan along with India and the United Kingdom.
  • November 5, physical protests dubbed the Million Mask March include only organizing action by Anonymous.
  • November 8, organizing and promotion of #OpKillingBay by Anonymous begins related to annual dolphin hunt; gains significant visibility by November 11. Distributed denial of service (DDoS) attacks were claimed by November 14 against various government agencies with further attacks reportedly planned.
  • November 14, exploit (CVE-2013-3893) reported for Japan’s most popular word processing software Ichitaro linked to a previously known Chinese group. The attacks reportedly “feature the same backdoor, identified as Backdoor.Vidgrab, that was spotted in an earlier attack exploiting the Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3893).”

We’ve summarized exploits associated with attacks on Japanese assets during this timeframe in a network graph, and you can see more about how this data can be leveraged using solutions such as Splunk in a recent webcast by Recorded Future.