TOKYO — Overseas hackers are thought to have made off with information on Japan’s maritime strategy in a March attack on specific people at national universities, which a Nikkei survey has found to be growing targets for their relatively lax security and sensitive knowledge.
An attacker posing as a Cabinet Office staffer attached to a government council on ocean policy emailed malware-laced files to professors at targets including the prestigious University of Tokyo and the Kyushu Institute of Technology. At least one apparently took the bait and opened a file, making possible the theft of information.
The council was formulating Japan’s basic plan on ocean policy, which guides the nation’s defense of outlying islands and development of maritime resources. It also includes representatives from the Self-Defense Forces; the Japan Business Federation lobby, or Keidanren; and heavy machinery builder IHI.
A China-based hacking group is suspected of playing a part in the attack. There are concerns that the incident could prompt further attacks using fraudulent information and targeting core government institutions.
Overseas groups appear to be increasingly attacking specific targets at Japanese national universities, which work closely with businesses and government but tend to have weaker security, the Nikkei survey suggests. The universities are counted on to improve the country’s overall research capabilities. They also receive more in subsidies than private universities and fall under freedom-of-information legislation.
Nikkei conducted the survey with Nikkei xTech, a specialist site under Nikkei Business Publications. Of 82 schools contacted, 48 answered, for a response rate of around 60%.
Recently, cyberattacks have tended to start from a weak point of entry and then broaden, said Kaoru Hayashi, an analyst at U.S. cybersecurity company Palo Alto Networks. Japanese universities are seen as weak points in the system compared with businesses and government, Hayashi said.
In a 2016 wave of attacks apparently aimed at stealing money, 40% of Japan’s national universities were infected, according to Motohiko Sato, senior security analyst at trading house Itochu. At publicly traded companies, just 0.1% were infected. Universities are increasingly sharing large volumes of data with businesses in joint research and other broad digital partnerships, leading to spreading fears that even tightly guarded companies could lose information through less-guarded schools.
The Ministry of Education, Culture, Sports, Science and Technology is also wary of further attacks like one in 2016 involving the theft of sensitive research materials, including some related to treating contaminated water from nuclear facilities, from the Hydrogen Isotope Research Center at the University of Toyama. The school works with businesses and nuclear fusion research institutions, and the stolen data included external researchers’ personal information as well as the results of their studies.
Recognizing the severity of the situation, the government in July made universities a key point in its cybersecurity strategy. But it left implementing countermeasures up to the schools.
Inadequate budgets were cited as an issue at 79% of the surveyed national universities. Subsidies for such schools’ operating expenses came to 1.09 trillion yen ($9.74 billion) for fiscal 2018 — down 12% from fiscal 2004. Even within schools, competition for funding can be fierce. For the University of Tokyo, which has 43 departments, “individual departments traditionally hold great authority, and negotiating solutions for the entire university would be difficult and time-consuming,” an official said.
Nearly half of the schools surveyed said faculty were insufficiently sensitive to threats. Staffers at a Tokyo national university apparently resisted efforts to manage them on the cybersecurity front, using external servers without permission or failing to report additions of new devices.
Instructors “cite academic freedom as an excuse for their dislike of being managed,” so security measures “can’t be enforced,” according to an official at the school.
More than 10% of the surveyed national universities said they had not suffered attacks. But it is unlikely that they were not hit at all, the education ministry warns, citing the possibility of harm that went undetected. Administrators at Japanese universities appear to be not yet fully alert to the growing threat of cyberattacks amid the spread of the data economy.