Part 4 of a 5 part series
Part 1: So What is the Cyber Threat from China, Exactly?
Part 2: The Chinese Cyber Threat to the United States of America
Part 3: The CCP Cyber Threat to Taiwan
Written by Akemi Hosoya and Devon Hsiao
Since 2001, the Chinese Communist Party (CCP) has leveraged its cyber capabilities against Japan to conduct espionage against military and government targets. Their operations have been very successful and typically involve the exfiltration of government user credentials and sensitive government documents. However, since 2016, CCP espionage activities have shifted from short- to long-term operations involving stealing targeted critical information from networks and intrusions into government, economic, military, or critical private sector networks. The CCP has also successfully targeted private firms in the financial services, defense, and technology sectors. In addition, the CCP has attempted to disrupt and degrade Japan’s network capabilities in rarer, less successful instances. Therefore, Japan should focus on identifying current network vulnerabilities and fortifying government networks to avoid further government and military data exfiltration.
Chinese cyber operations against Japan have mainly targeted the military and government (69.2%). For example, the 2022 operation conducted by MirrorFace, a Chinese-speaking threat actor, targeted a Japanese political party in the run-up before the July Japanese House of Councilors election. Utilizing spearphishing emails to load credential-stealing malware onto the computers of members of the party, Mirrorface was able to exfiltrate the victims’ credentials and steal documents and emails. Another significant espionage operation involved the theft of Tokyo policies and intelligence regarding North Korea’s nuclear weapons program.
The few cases of denial and degradation attempts by the CCP have targeted the government. For example, the two recorded incidents aimed at physical degradation of targets’ capabilities were in response to political developments in Japan, such as the Japanese government memorializing WWII and the capture of Chinese fisherman by Japanese authorities (relating to the Diaoyutai/Senkaku Islands disagreement). The single incident aimed at creating disruption involved a hack against the Japanese pension database.
On the other hand, when China acts to carry out espionage objectives, the incidents may also involve private industry. Private industry victims include companies in the financial services, high-tech and media sectors, and the defense industry. For example, Mitsubishi Heavy Industries, Japan’s biggest weapons manufacturer, suffered a ransomware attack in 2011, and the Japanese cryptocurrency platform Coincheck suffered a $500 million dollar hack in 2018.
Most successful Chinese operations involve Network Intrusion (61.5%), which is the use of unauthorized software to enter a victim’s network. The second most common type of attack is Network Infiltration (23.1%), which compels computers or networks to perform actions they wouldn’t typically do, such as deploying viruses or worms. Out of 13 total incidents logged between 2001 and 2019, Dyadic Cyber Incident and Campaign Dataset classified only 3 as unsuccessful. Of these unsuccessful incidents, 2 were Denial of Service incidents (the only Denial of Service incidents recorded). The fact that the only two Denial of Service incidents were successful suggests that the attackers are not as good at executing these types of attacks, or Japanese entities are particularly good at defending against them. Overall, the CCP’s cyber operations against Japan have generally been very successful in achieving their objectives
Regarding the severity of cyber incidents, the Dataset assigns incidents a score on a 1-10 scale where 1 is the least severe and 10 is the most severe. Overall, Chinese cyber incidents in Japan fall on the lower side of the severity scale, with scores of 2-4. Most recorded incidents have a score of 3, indicating that these incidents involve “stealing targeted critical information from one network.” Other incidents involve “widespread government, economic, military, or critical private sector network intrusion” (a score of 4) and “harassment, propaganda, denial, and disruption” (a score of 2).
In conclusion, the Dyadic Cyber Incident and Campaign Dataset indicates that CCP cyber operations in Japan since 2001 have mainly consisted of espionage, with a trend shifting away from short-term espionage towards long-term espionage. This espionage has mostly targeted the military and government, although the CCP targeted private industry also, especially the financial, high-tech, and media sectors. These operations have successfully achieved their objectives but are generally low to moderately severe. The incidents mainly involve stealing targeted critical information such as corporate secrets, government user credentials, or political party documents. Long-term espionage operations may not be immediately detectable because the consequences may not come until further in the future. Given that Chinese cyber operations targeting Japan have shifted towards long-term espionage, Japan needs to have systems in place that can detect abnormal network activity to catch such espionage in the early stages.
 Data from the DCID dataset, see https://gdil.org/so-what-is-the-cyber-threat-from-china-exactly/
 https://www.reuters.com/article/us-mitsubishiheavy-computer/japans-defense-industry-hit-by-its-first-cyber-attack-idUSTRE78I0EL20110919 , https://www.coindesk.com/policy/2021/01/22/30-charged-in-japan-with-trading-96m-of-crypto-stolen-in-coincheck-hack/