Security researchers say that a group of hackers has been targeting key Japanese infrastructure and commercial interests for over five years, and the attacks have mostly been completely undocumented, despite the broad range of assaults conducted.
Security researchers from Cylance, a security software provider that uses artificial intelligence and machine-learning to instantaneously identify and prevent malware and cyberattacks, have published a new report entitled "Operation Dust Storm" with evidence that the group of attackers have been infiltrating critical Japanese infrastructure such as electric utilities, oil and gas, transportation, construction and finance companies to successfully gather sensitive data about Japan since 2010.
But that's not all. In order to gather data on specifically Japanese resources and infrastructure, the hackers have also conducted successful cyberattacks against companies in the US, Europe, South Korea and several south east Asian countries in order to access data about Japanese sub-divisions of larger foreign organisations.
The group uses a variety of different attacks and techniques such as unique backdoors and zero-day variants, as well as waterholes and spear phishing to breach Android mobile devices and corporate networks running on Windows. This shows that it is well-organised and clearly well-funded, so the researchers think it is likely connected to another nation or state that is keen to keep tabs on Japan.
Cylance also notes that the hackers are using a customised malware that has clearly been designed specifically to fulfil a set purpose, such as an S-Type backdoor variant they found in 2015, which had been designed specifically to compromise the investment arm of a major Japanese automobile manufacturer. Interestingly, the attack occurred attack just two weeks before a Japanese automobile union called for strike action to achieve a monthly raise of 6,000 yen.
"Since 2010, a threat group with considerable resources has been using various exploits to attack commercial interests around the globe, with a specific focus on Japan," said Cylance's vice president of strategy. Jon Miller.
"Whereas early activity by the group showed less sophistication and a broader set of targets, Spear's current research indicates the group's present focus has shifted specifically and exclusively to Japanese companies or Japanese subdivisions of larger foreign, multinational corporations.
"The group has also shown an ability to exploit Android-based mobile devices, illustrating that these types of attacks are more prevalent in the mobile-centric business cultures in Asia. The campaign continues to this day."
From their analysis of the different attacks used and the data accessed, the researchers have determined that the prime motives for the attacks are long-term data exfiltration and theft. This is unlikely to stop any time soon.