Japan aerospace agency provides details of October data breach

The Japan Aerospace Exploration Agency (JAXA) has updated details about its October 2023 data breach and has confirmed that those attacking JAXA leveraged VPN and Microsoft 365 security holes. But the update noted that the attackers had “used multiple unknown malwares, making it difficult to detect the unauthorized access.”

JAXA also revealed that its cybersecurity defenses had not detected the attack during or after the incident, but that it learned of the assault “based on a notification from an external organization.”

“The attacker likely exploited a vulnerability in a VPN device to gain the initial access to JAXA’s internal servers and computers. It is highly likely that the previously announced vulnerability was exploited,” the space agency said. “Some information—including personal information of JAXA employees—stored on the compromised JAXA servers and computers may have been breached.”

The phrase “may have been” signals that JAXA officials are still not certain what was and was not accessed. The agency also shared a cryptic comment that “In the course of taking the above measures and strengthening monitoring, we have detected and responded to multiple unauthorized accesses to JAXA’s network since January of this year—including zero-day attacks—though no information was compromised,” the statement said, revealing that JAXA has been hit subsequent to the initial attack, but that the agency believes it successfully fought the subsequent attacks and prevented further data leakage.

JAXA has not said who the attackers were, but most cybersecurity observers are pointing the finger at state actors working for China.

“The fact that a space agency was targeted with a sophisticated complex attack indicates a state actor with goals to compromise data, not just gather intelligence or send a political message, with the lead suspect being a China affiliated cyber security private company of some sort,” said Irina Tsukerman, a geopolitical analyst and the president of Scarab Rising, a global strategy advisory firm. “Such an attack is likely the work of either a state-backed independent hacker, possibly part of an intelligence gathering gang, whose methods could potentially be analyzed and compared to prior such attacks, or it could be attributed to a private cybersecurity company, most likely affiliated with China, in which case prior incidents could be harder to detect. The most interesting detail was the description of the attack and the fact that the attacker used several different types of malware and nevertheless went undetected. It indicates an unusually persistent and planned long term attack with an unusual level of complexity and stealth.”

Amiram Shachar, CEO at security vendor Upwind, said he found the particular pattern of this attack to be different than what he would have expected. 

“The most surprising thing about the attack is the fact the attacker managed to access M365 through the on-prem environment and not the other way around. We usually see attackers attack the cloud first,” Shachar said. 

He also saw a worrying pattern of leveraging security holes that will inevitably exist as enterprises transition from mostly on-prem to mostly cloud.

“Although VPN exploitation is something eastern APTs are quite known for, this attack used shared data and services between two environments to create even more damage. Modern services are sharing resources between on-premises and public cloud environments, allowing attackers to find more creative ways to perform privileged escalations and lateral movements,” Shachar said. “This middle hybrid stage — when enterprises are transitioning slowly from on-prem servers to the cloud— is one of the most dangerous stages to be on as they  are exposed to an even bigger range of risks in both environments.”

More data breach news:

• Evolve data breach impacted upward of 7.64 million consumers
• Hackers steal data of 200k Lulu customers in an alleged breach
• OpenAI failed to report a major data breach in 2023