TOKYO — Usually a mundane affair, the weekly news conference by the National Public Safety Commission caused a stir recently among the global cybersecurity community after police chief Mitsuhiro Matsumoto officially identified China as responsible for a cyberattack on Japan.
Since then the National Police Agency has been deluged with inquiries from foreign governments and media organizations about the claim.
Two days before the April 22 news conference, the Tokyo Metropolitan Police Department filed a case against a Chinese systems engineer, who is also a member of the Chinese Communist Party, for allegedly taking part in cyberattacks that targeted the Japan Aerospace Exploration Agency (JAXA) and 200 other Japanese companies and research institutions in 2016 and 2017.
The suspect, who has already fled Japan, used a fake ID to register a web server in the country for cyberattacks against JAXA, according to Tokyo police, which also pointed out the likelihood that China’s People’s Liberation Army was involved in the far-reaching cyberattack.
Matsumoto, commissioner-general of the police agency, said during the conference that a Chinese hacker group called Tick carried out the attacks. “It’s highly likely that the PLA’s Unit 61419 — a strategic support unit operating from the Chinese city of Qingdao in Shandong Province — was involved in the cyber espionage.”
The police chief said authorities are continuing to investigate.
National Police Agency Commissioner-General Mitsuhiro Matsumoto spoke at an April 23 meeting in Tokyo of senior police officers from across the nation.
Tracking and ultimately identifying the source of cyberattacks, a process known as cyber attribution, is a complex and challenging task, especially when nations are involved. It requires layers of technical and strategic investigative work. This critical step — done to formulate a national response to attacks — involves painstaking work by security analysts to collect shreds of evidence and build precise timelines.
But what is the point? Even if efforts succeed in identifying bad actors, whether governments or organizations, the culprits rarely own up to their deeds. Beijing has vehemently denied Japan’s allegations concerning the JAXA attacks. Chinese Foreign Ministry spokesperson Wang Wenbin went so far as to say, “China is firmly opposed to any country or institution [using allegations of] cyberattacks to throw mud at China.”
Even if in the presence of incorruptible evidence, there is little chance of bringing to justice culpable foreign nationals operating overseas.
But that does not make cyber attribution pointless. Since it is not a formal criminal procedure, it lets a government demonstrate its cybersecurity chops without disclosing sensitive information about the investigation or presenting court-worthy evidence. Cyber attribution can be used to “name and shame” in the hope of deterring future cyberattacks, or to lay the legal groundwork for sanctions against alleged perpetrators.
Cyber attribution by a government usually attracts requests from allies for more information. This leads to better multinational cooperation, which enhances the collective ability to counter cyberattacks.
Still, Matsumoto played down the strategic implications of Tokyo’s unusual move, saying, “I only talked about what was revealed by the investigation.”
In an apparent response to Wang’s remarks that probes into cyber incidents should be based on credible evidence, Matsumoto said that his agency had the evidence, including testimonies of the suspects and other parties involved.
Matsumoto’s words are likely a sign that a war of nerves is going on between Beijing and Tokyo. Beijing has not made any further official response to the announcement.
Meanwhile, Tokyo Metropolitan Police are still looking into the case as the government tries to uncover more evidence that supports its claim that Japanese assets were targeted.
Tokyo’s task is challenging, especially when faced with a state actor willing to pour massive human and financial resources into such operations.
Japan blamed the 2017 WannaCry ransomware attack on North Korea. The chief cabinet secretary at the time said North Korea was behind the worldwide cyberattack. But Tokyo’s claim was based on information provided by the U.S. and other countries, not its own investigation.
In 2015, the Japan Pension Service was hit by a cyberattack that led to a massive information breach, with more than 1 million names and pension identification numbers leaked, some accompanied by birthdates and addresses. Tokyo Metropolitan Police investigated the attack, analyzing the malware used and where data was sent. The probe produced evidence that showed servers in China were used. But since there was no conclusive proof that Beijing was involved, Tokyo stopped short of claiming the attack was state-sponsored.
In 2015 the Japan Pension Service suffered a massive information security breach, a sign of growing threats posed by cyberattacks.
This time, better forensics by Tokyo police gave the Japanese government license to blame Beijing.
The police first discovered a suspicious server and then began monitoring it, eventually detecting a cyberattack against JAXA. It found that the attacker was trying to exploit a vulnerability in the security software used by the space agency and advised companies facing similar attacks to take defensive measures. The department then identified the Chinese man who had rented the server and questioned him.
The success of the investigation was a product of well-coordinated online and real-world operations.
The U.S. is far more aggressive in its cyber attribution efforts, such as using viruses to take over computers used by cybercriminals, according to security officials. But Japan’s justice system does not allow such operations, which could lead to criminal charges against law enforcement officers involved.
But the threat of global cyberattacks continues to grow while the law sometimes lags behind. This makes it imperative for Japan to enact legislation and develop new investigative tools to track down cyber suspects.
Attribution efforts benefit from the collaboration of law-enforcement authorities and other entities. The National Center of Incident Readiness and Strategy for Cybersecurity, which should lead in this matter, along with the Defense Ministry, must work with the private sector and research institutes to help tackle this problem.
The Cabinet Intelligence and Research Office and the Foreign Affairs Ministry also have important roles to play in ensuring collaboration with foreign governments and organizations, which is critical to successful cyber attribution.
