In recent years, the hacker groups controlled by the Chinese Communist Party have continued to launch attacks on Japan’s defense, aerospace, and other fields, stealing a large amount of confidential information. The Japanese police recently disclosed the latest situation of Chinese Communist hackers stealing secrets. Experts suggest strengthening cooperation among democratic countries and enacting relevant laws to curb China’s espionage activities.
On January 8, the Japanese National Police Agency announced that the hacker group “Mirror” had conducted 210 cyber attacks on Japan from 2019 to 2024, with the goal of obtaining Japan’s defense and advanced technology information. According to Japanese police officials, based on the targets and methods of the attacks, these attacks are suspected to be related to the Chinese government. The targeted institutions include the Japan Aerospace Exploration Agency (JAXA), which was attacked by hackers in 2023, resulting in information leaks.
Additionally, the targeted entities include officials from Japan’s Ministry of Defense and Ministry of Foreign Affairs, think tanks, politicians, journalists, as well as private companies with advanced technology. The investigative departments of the Japanese National Police Agency along with local police forces found that the malicious software used by “Mirror” was similar to the one used by the Chinese state-sponsored hacking group “APT10”. The targeted areas were of interest to China, and the timing of the attacks coincided with China’s working hours and was not during long holidays. After comprehensive analysis, the Japanese National Police Agency believes this is a suspected organized crime supported by the Chinese government.
According to descriptions from the Japanese National Police Agency, the modus operandi of “Mirror” involves impersonating internal personnel to send emails, infecting computers with malicious software to access data. This method primarily targets government officials, think tanks, politicians, journalists, with a focus on security fields. Furthermore, Chinese hackers also target Japanese companies and research institutions, exploiting system vulnerabilities to infiltrate internal networks and steal advanced technology in related fields.
As introduced by the cybersecurity consulting website Hacker News, “Mirror”, also known as “Earth Kasha”, is a Chinese government-supported hacker organization that targets institutions as well as specific individuals. Last year, in a report, Hacker News stated that Earth Kasha was a highly active organization, launching attacks on organizations in Japan, Taiwan, India, and even Europe through vulnerabilities in networks like Array AG, ProSelf, and FortiNet. The organization was found using SoftEther VPN (open-source VPN) to bypass the target’s firewall for intrusion.
The bulletin released by the Japanese National Police Agency on January 8 showed that the Chinese hackers’ cyber attacks in Japan were divided into three stages. The first stage from December 2019 to July 2023 involved 107 confirmed cases of attacks on government institutions, think tanks, and media, using email attachments with malicious software to infect computers.
The second stage from February to October 2023 had 37 cases targeted at semiconductor, manufacturing, telecommunications, aviation, and academia, leveraging VPN vulnerabilities or acquired authentication information to infiltrate the networks of companies and organizations.
The third stage starting from June 2024 primarily aimed at Japan’s academia, politicians, media organizations, and individuals, sending emails with malicious software download links to infect computers and steal intelligence. In this round of cyber attacks, the Mars satellite exploration plan (MMX plan) of JAXA was suspected of being stolen by hackers.
The method used in this attack exploited VPN vulnerabilities to penetrate the central server, stealing approximately 200 employee accounts from the “Microsoft365” cloud services used by JAXA, and repeatedly accessing illegally. Stolen data traces revealed that intermittently from 2023 to 2024, Chinese hackers attacked, estimating more than 10,000 files were stolen, including highly confidential information related to the MMX plan and manned lunar exploration plan. Information provided to JAXA by NASA, Toyota, and the Japan Ministry of Defense was also suspected to be stolen.
Due to information security considerations, JAXA avoided publicly disclosing specific details of the theft. According to the MMX plan, the goal of the Japan Aerospace Exploration Agency is to launch an unmanned probe by 2026, landing on the Martian satellite Phobos, with the aim of achieving the first successful return of Mars samples to Earth. The main purpose of this plan is to unravel the mysteries of the formation of the solar system and acquire foundational technologies for future manned exploration. China also plans to explore Mars but lags behind Japan in research and technology.
Professor Lin Zongnan of National Taiwan University, an expert in cybersecurity, told Epoch Times that for China, stealing valuable information from the West through hackers is very cost-effective. China has cultivated a large number of state-level hackers who conduct espionage through various hacker organizations in different fields.
Su Ziyun, a director at the Taiwan Institute for National Defense Strategic Studies, stated, “The Chinese Communist Party has always seen cyberspace as a new source of intelligence, including for US defense suppliers. During Trump’s first term, it was found that a lot of confidential designs were stolen by China, including designs for the F35 fighter jet. In Western terms, this is known as advanced network hacking (APT).”
On July 5, 2024, JAXA announced that the organization had been subjected to cyber attacks leading to information leaks. In October 2023, JAXA discovered unauthorized access to some servers of its internal intranet services, confirming the leakage of some information managed by JAXA.
According to Japan’s 2024 Defense White Paper, the Chinese military’s cyber warfare unit evolved from the original Strategic Support Force. Before 2024, the Strategic Support Force had 175,000 personnel, with approximately 30,000 in the cyber attack unit.
The Defense White Paper mentioned that China’s military cyber unit frequently targets foreign adversaries for technical theft and surveillance in cyberspace. It also introduced some responses and countermeasures by countries like the US, UK, and Japan against Chinese hacker activities in 2023.
Su Ziyun mentioned that around 2016-2017, the headquarters of the suspected People’s Liberation Army hacker organization in Shanghai was exposed. Its characteristics included an organized mode of operation, adept technical skills, operating as civilian hackers, engaging in not only stealing foreign secrets but also conducting ransomware attacks.
In August 2023, The Washington Post reported that Chinese military hackers breached Japan’s computer systems handling defense secrets. The US National Security Agency (NSA) discovered this in the autumn of 2020 and warned the Japanese government of the severe circumstances. If Japan did not strengthen cybersecurity measures, information sharing between Japan and the US could be impeded.
The directors of the NSA and the Deputy Assistant to the US President for National Security Affairs took these matters very seriously and immediately went to Japan, urging the Japanese government to take action. When the Japanese Defense Minister at the time received the alert, it was reported to the Japanese Prime Minister.
The continuing intrusion of hackers into Japan’s government systems was believed to aim to obtain information on Japan’s Self-Defense Forces’ defense plans, capabilities, and vulnerability assessments. A former senior US military official described the hacking intrusion as “shockingly bad.”
However, then Japanese Defense Minister Yasukazu Hamada stated that no classified information held by the Ministry of Defense had leaked in the cyber attacks and avoided discussing whether a hacking attack had occurred.
To counter the cyber attacks from the Chinese military, the Japan Self-Defense Forces established a cybersecurity defense unit in March 2022, monitoring information and communication networks round the clock to combat cyber attacks.
During the “2+2” meeting between Japan and the US in January 2023 and the Defense Ministerial meeting in October 2023, both countries agreed to enhance cooperation in the cyber domain based on existing collaboration.
Lin Zongnan emphasized that information systems play a critical role in today’s era. Therefore, Chinese hackers systematically steal valuable confidential information. “Many times they steal personal information from people through social media, which is part of China’s unrestricted warfare.”
With technological advancements, especially in the field of artificial intelligence, hacking techniques for espionage have rapidly evolved. Therefore, it is crucial to prevent and halt Chinese hacking activities for Japan, the US, and Western countries.
In response, Su Ziyun emphasized that cooperation among democratic countries is crucial, emphasizing more closely exchanging information. Furthermore, democratic countries should revise their legal systems to address digital propaganda, hacking attacks, and intelligence theft, stating that “under the principle of freedom of speech, there needs to be clearer regulations on these illegal cyber actions. Only then can we effectively cooperate, prevent, and deter, to prevent authoritarian countries from threatening democracies. This is the most important principle.”