Japanese organizations hit in suspected China military hacks all used Skysea software

TOKYO, Apr 29, 2021, The Mainichi. It has emerged that the comprehensive information technology management tool Skysea was in use at all Japanese businesses and other entities affected by large-scale cyberattacks in 2016 and 2017 thought to have involved the China’s People’s Liberation Army, The Mainichi reported.

The link came to light in interviews with people connected to the issue. The Metropolitan Police Department’s (MPD) Public Security Bureau is investigating with a view that the software, sold only in Japan, was obtained by the Chinese military and analyzed for vulnerabilities to launch an attack.

According to the source, the attacks appear to have begun in June 2016, and took advantage of a vulnerability in Skysea. Sky, the Osaka-based firm that develops the software, announced it had implemented countermeasures about half a year later, in December.

But attacks targeting businesses and others yet to update the software reportedly continued into 2017. Sky has progressively updated its product since, and on April 21 it gave its view that “at present, almost all our customers are using versions with countermeasures in place.”

The Chinese hacking group Tick is believed to have taken part in the attacks; it reportedly has a high level of technical knowledge capable of discovering vulnerabilities developers have yet to realize exist. Until now there has been no clear picture of Tick, but the MPD’s Public Security Bureau has confirmed it is a subordinate to the People’s Liberation Army Strategic Support Force, which is responsible for cyberattacks, and that its members overlap with Unit 61419, who primarily target Japan and South Korea.

The attacks this time revealed the existence of individuals taking orders from military-connected personnel. In addition to a Chinese Communist Party member in his 30s who was referred in papers to Japanese prosecutors on suspicion of unauthorized creation and use of electronic or magnetic records, a former international student of Chinese citizenship also appears to have entered under a false name into the contract for the server used in the attack.

When interviewed by authorities during his visit to Japan, the former student reportedly said that he was introduced via an acquaintance to the wife of a member of Unit 61419, who lobbied him to “contribute to your country.” He said he was instructed to sign a contract for the server and purchase Japanese-made security software, among other actions.

In China, the contributions that individuals studying abroad make to their home country are evaluated using a points system, and it can reportedly have an effect on their ability to find a job upon returning home. Over a short period, the former student is said to have received numerous instructions via social media and email from the unit member’s wife, and he appears to have complied out of concern for his treatment when going back to China.

A specialist who was previously involved in the Japanese Ministry of Defense’s cyberattack prevention measures told the Mainichi Shimbun: “That’s China, using even students, scholars and other private citizens for information gathering. Around 2016 the targets weren’t especially settled, and any available information was stolen. The target that has come to light this time is probably just the tip of the iceberg.”

Chinese cyberattacks are thought to primarily aim at 10 fields including aviation and space. All the fields are among the key industries China intends to focus on as part of its 10-year development plan “Made in China 2025,” laid down in 2015, and some have claimed the Chinese government is involved in the attacks.

Masatoshi Sato, head of the national security research center at Cybersecurity firm LAC Co., emphasized: “For some years now espionage and cyberattacks have been carried out as one.” Methods have become increasingly sophisticated; where infiltrations used to be achieved by sending emails from unknown addresses with attached malware, there reportedly have been a remarkable number of cases recently involving people posing as individuals who victims have had face-to-face contact with, in which the perpetrators shared business-related information with them.

Sato said, “It’s impossible to completely block cyberattacks. By encrypting data when it’s saved, among other measures, companies should aim to have their information be unreadable even if it is leaked or exposed.”

(Japanese original by Buntaro Saito, Tokyo City News Department)