A significant cybersecurity incident has been uncovered in Japan, involving the Ground Self-Defense Force (JGSDF) unknowingly using USB drives infected with malware linked to China. This breach affected computers connected to sensitive military networks and went unnoticed for nearly a year.
Unnoticed Breach Raises Alarm
The breach was particularly concerning due to the military’s decision to withhold information even after discovering the threat. The infected USB drives were fake and produced in China, sold at much lower prices than authentic ones. They were distributed to the JGSDF during earthquake relief operations in central Japan in March 2024.
Despite routine security checks meant to scan external devices, the malware embedded in these drives evaded detection. This lapse in security was highlighted by investigators from Nikkei, who reviewed leaked military documents. These documents revealed that the malware was associated with a hacking group backed by China, as previously identified by a U.S. cybersecurity firm.
Security Protocols Under Scrutiny
The infection was finally detected in February 2025 when a soldier in Itami, near Osaka, noticed unusual slowdowns on his computer. Upon scanning, a virus was found, which had been operating covertly. By then, over 50 computers had been exposed, with many handling classified information, including troop movements.
The aftermath of this discovery was almost as concerning as the breach itself. The JGSDF opted not to warn the public or issue a broader alert, despite similar counterfeit drives being sold online, posing risks to factories and research facilities across Japan.
Implications and Preventative Measures
The malware was designed to activate automatically when the USB was inserted into a computer, requiring no user action. Once active, it could stealthily gather sensitive data, track user activity, or even damage system software. An internal investigation revealed that six out of eight USB drives distributed during the earthquake relief contained the malware, indicating a sophisticated threat aimed at evading military-grade detection tools.
Nikkei’s extended reporting showed that these counterfeit drives had infiltrated secure systems beyond the military, reaching factories and research sites nationwide. To prevent future incidents, experts advise purchasing storage devices only from reputable vendors and performing rigorous validations on all removable media using isolated systems before network use.
The JGSDF confirmed the malware’s presence in February 2025 at its Middle Army headquarters but refrained from broader public disclosure. This incident underscores the potential for even seemingly innocuous hardware to become a vector for sophisticated cyber threats when security protocols are not strictly enforced.
