Japan’s Ground Self-Defense Force (JGSDF) has been compromised by malware-infected USB drives, leading to a significant cybersecurity breach. The infected devices, counterfeit USB flash drives manufactured in China, were distributed during relief operations following a major earthquake in central Japan in March 2024. These drives were sold at prices significantly lower than genuine products, making them an attractive option during the relief efforts.
Despite established security protocols requiring routine scans of all external storage devices, the malware embedded in these counterfeit drives went undetected. The infection remained unnoticed until February 2025, when a soldier in Itami, near Osaka, observed unusual sluggishness in his computer’s performance. Subsequent scans revealed a virus operating covertly in the background. By that time, over 50 computers had connected to the infected drives, nearly half of which handled classified information, including sensitive details on troop movements.
Investigations revealed that the malware matched a strain previously documented by a U.S. cybersecurity company as linked to a China-backed hacking group. This suggests a targeted attack aimed at infiltrating Japan’s military networks. The malware was designed to execute automatically upon insertion of the USB stick, requiring no additional action from the user. Once active, it could steal sensitive data, monitor user activity, or corrupt system software.
Internal reviews indicated that six out of eight USB drives distributed during the 2024 earthquake relief effort contained the same malware. The virus’s ability to evade multiple mandated security scans suggests it was specifically designed to bypass standard detection tools common in military environments, pointing to a sophisticated and well-resourced threat actor.
Compounding the issue, the JGSDF chose to keep the incident internal, refraining from alerting the public or issuing broader warnings. This decision has drawn sharp criticism, especially since similar counterfeit drives were still being sold online and had already spread to factories and research institutions across Japan, creating a wider risk beyond the military.
This incident underscores the critical importance of stringent cybersecurity measures and the need for constant vigilance. The use of counterfeit hardware poses significant risks, and organizations must ensure that all devices, especially those connected to sensitive networks, are sourced from reputable manufacturers and undergo thorough security checks. Additionally, transparency in disclosing breaches is essential to mitigate potential widespread impacts and to maintain public trust.
