Share this article on:
Last year, Rapid7 released research examining the security posture of the ASX 200 companies and came out with an in-depth look at the Japan threat landscape. We recently got to catch up with Rapid7’s Paul Prudhomme, principal security analyst and Japan Cyber Threat Landscape Report author.
Cyber Security Connect: Why is it important to conduct research into this specific region?
Paul Prudhomme: We did feel that the Asia-Pacific region in general needed more attention. Japan, in particular, I think has been a bit underserved by the security research that’s available, at least in English, especially when you consider how important Japan is – it’s the third-largest economy in the world.
So much of the English language security research is focused on the US, obviously, because a lot of the main vendors are American companies. But if you want to move outside of that sort of US-centric perspective – and a lot of the research has – where’s the most logical place to go next?
Well, OK – there’s China. But when we’re talking about China, you know, we’re really talking about them as a source of threats rather than a target of threats. And then the next big economy is Japan. So I think this is a good way to get out of that sort of US-centric perspective, getting into the Asia-Pacific markets, which again, just by virtue of the sheer size of [its] economy, really deserve better coverage in English.
And Japan, in particular, I think, is strategically important, not just for the size, but really for its global footprint. So many Japanese multinational companies, or global brands, are sort of very easily recognisable names all around the world. In fact, they’ve been so integrated into the world economy, you almost don’t think of them as Japanese, per se, except when you find out, “Oh, it’s Mitsubishi.” It’s so integrated into the world community that you almost don’t think of them as being Japanese.
But they are, which of course, raises the interesting wrinkle of Japanese companies getting hacked through their overseas subsidiaries. So for all those reasons, I think Japan ticks a lot of important boxes that need to be filled. And so here we are.
CSC: Are you finding that it’s a region that is getting disproportionately targeted?
Paul Prudhomme: I hesitate to use the word disproportionate, especially since I didn’t do quantitative methods, per se. But I will say it is sort of on the radar of a lot of different types of threats. Again, it’s just the size and strategic importance; but also, with state-sponsored threats in particular, out of the four countries in the world that we tend to focus on as the sources of state-sponsored threats, Japan is pretty close to three of them.
Japan has had one or another historic issue with each of those countries. And not just historically, but also for current reasons. Each of those three of the four heavy hitters is a state-sponsored threat and has its own special flavour of reason to take an interest in Japanese targets.
So it’s just sort of a perfect storm of threats, if you will. I think maybe that’s a better way to say it.
CSC: So you’re talking about China, North Korea, and Russia as state-sponsored threats. How do these countries differ in terms of their methods of cyber attack, as well as their motivations for attacking?
Paul Prudhomme: Quite a bit.
So let’s talk about motivations. First, in China, it’s really primarily about economic growth, particularly trying to get Japanese intellectual property. Since Japan has a lot of advanced technology and other intellectual property that they’ve developed, that would be very useful for Chinese companies to help them improve their competitive position in the world marketplace. And also, of course, competitive intelligence, trying to get a leg up on Japanese competitors and get themselves a better position in the marketplace. So economic development is really the priority there.
With North Korea, it’s not so much about economic development; it’s more about short-term, smash-and-grab financial gain, conducting criminal-type operations to raise revenue for the North Korean government, particularly outside of the traditional channels of conventional financial institutions, which is why they like cryptocurrency in particular so much, since they can move that around without having to worry about banks blocking them or closing their accounts and so on.
So we do see a lot of attacks on Japanese cryptocurrency exchanges in particular, as well as any other Japanese businesses that might be using cryptocurrency, along with the usual ransomware. And then also some of the large-scale bank fraud attacks that we’ve seen from North Korean actors in the past. So it is about money. But, in a different way – it’s more like a mugging.
And with the Russians, it seems to be more about the current and the political issues, specifically, Japan participating in the international response to the invasion of Ukraine with sanctions and other measures against Russia. So, now, the geopolitical and military and diplomatic factors also factor into the North Korean and Chinese attacks, as well, albeit to a lesser degree.
For example, you get something like … North Korea tests its ballistic missiles and fires them over Japan; there are people in Japan who pay very close attention to this. And lo and behold, there are people in North Korea whose job it is to conduct cyber espionage against those people in Japan, so they could keep an eye on how Japan handles the national security risks that North Korea poses. And then also, of course, we see this with Chinese actors as well, taking an interest in US domestic politics in particular. And also, of course, the issue of Taiwan, that looms very large in their mind as well.
CSC: Was state-sponsored hacking an issue prior to the conflict in Ukraine?
Paul Prudhomme: Yeah … Not that there was a whole lot, but there might be some passing references here and there in the literature, but there’s not really any one cohesive, sort of explanation behind it.
Keep in mind, this comes with a caveat that the Russians, out of those big four that we tend to focus on, are probably the toughest nut to crack, if you will. In other words, they’re probably the least transparent in their targeting motivations and their methods, and so on. So I don’t want to say no, but I will say that if it were not for the invasion of Ukraine, I would have found it harder to put together a coherent Russian section for this paper; let’s put it that way – it wouldn’t be any one thing that I could pin down.
Obviously, Russo-Japanese relations do have a fairly significant history to them, with both military and diplomatic issues, going back to the Russo-Japanese war in the early 20th century, and even the territorial dispute over islands to the north of Japan dating from the Second World War. So there have been issues. But specifically, Japan deciding to participate in the sanctions against Russia over the invasion of Ukraine – that seems to have precipitated and brought this issue front and centre. Whereas before, it might have been sort of more marginal.
CSC: Ransomware is one of the central themes of this report – how is ransomware being leveraged against Japanese companies? And did you encounter any surprises there?
Paul Prudhomme: So the most interesting thing I found is that manufacturing is probably the single most important target for ransomware attacks in Japan. Contrary to what you might see in other countries, where we tend to think of healthcare as the preferred target, there were some statistics from the Japanese National Police Agency suggesting basically one-third of all the ransomware incidents in Japan target manufacturing organisations, whereas healthcare was somewhere in the single digits – quite a bit lower.
Now, obviously, part of this is because manufacturing is such a huge part of the Japanese economy in general. But when you think about it, other than healthcare, manufacturing is probably another perfect target for ransomware operators, for a couple of reasons. One, you know, the sensitivity to downtime, if their whole business is to crank things out on an assembly line. And if there’s something that stops, and they can’t produce things, well, that’s kind of a problem.
The other issue is that it’s not so much that ransomware operators like manufacturing companies; it’s that ransomware might be the best way to monetise the breach of some manufacturing companies that might not have the type of data that is particularly useful for monetising an attack by selling it on forums. So if you have a manufacturer that has some really valuable intellectual property that you can make money off of that, and you wouldn’t necessarily need the ransom; but if it’s a company that makes widgets or ball bearings or something that isn’t particularly juicy content from a criminal perspective, there might just be things like the employee’s personal information, and bank account numbers, and so on, that you could sell. But if the data itself has relatively little resale value, you might be better off ransoming it rather than trying to sell it.
Again, it’s that sort of perfect storm of conditions that makes Japanese manufacturing, in particular, such a hotspot for ransomware activity.