print PRINT

SECURITY > Cybersecurity

Cyberattacks: Increase in attacks on Japan via Holland

  • August 18, 2020
  • , Nikkei , p. 12
  • JMH Translation

The Netherlands has emerged as a main originator of cyberattacks on Japan. Some 40% of attack-related communications received in Japan in February 2020 was from that nation, surpassing those from China and Russia. Behind this increase is the division of labor in cyberattacks. The Netherlands has become a center for “scanning” activities, which ferret out corporate vulnerabilities, and this has contributed to the increase in attacks.


In August 2019, Masaki Kubo, a senior research engineer at the National Institute of Information and Communications Technology (NICT), couldn’t believe his eyes. It was the first time in the history of NICT’s cyberattack monitoring that cyberattack-related communications from the Netherlands jumped to the top of the list. Kubo has been recording increases and decreases in communications aimed at Japan for about five years. Attack-related communications originating in the Netherlands have increased since that time, with attacks from that nation accounting for 40% of all attacks on Japan from across the world in February 2020.


China’s fading presence


Until around 2017, China and Russia were frequently at the top of the list. Attacks used to be conducted via malware, which was often distributed indiscriminately to infiltrate companies and government agencies.


This used to be the generally accepted view on cyberattacks. The situation has changed dramatically, however. According to the NICT, the number of attack-related communications targeting Japan has increased, but the presence of China and other countries has decreased. The number of “targeted attacks” on companies has increased in the meantime. This is why the Netherlands has emerged so rapidly.


A successful targeted attack follows a three-step process.


The first step is “scanning.” Scanning investigates the management status of devices and passwords used by corporate systems, etc. via the Internet. By sending out a specific signal and analyzing responses, hackers can figure out companies’ security vulnerabilities.


The information obtained from scanning is “bought and sold” on the online black market. This is the second step. Vulnerability information on the video-conferencing software Zoom can be traded for tens of millions of yen.


Using the vulnerability information obtained, criminal groups move to the third stage of “attack.” NICT’s Kubo says, “It’s very likely that some countries are secretly carrying out pre-attack scans by sending them through the Netherlands.”


The act of scanning itself is not illegal. However, a large number of scans can overload a network, so many domestic server rental companies “regulate large-scale scans as a nuisance and stop communications as soon as they are detected” (according to GMO Internet, Inc.).


The increase in cyberattacks originating from the Netherlands is due to the presence of several server rental companies called “bulletproof hosting.” Such companies were so named because they did not give in to pressure from investigative authorities and did not easily provide the content of their communications. Bulletproof hosting was originally used by human rights activists and others under dictatorial regimes, but the secrecy of the system has attracted the attention of criminal groups, who are now exploiting it.


Once they are under investigation, bulletproof hosting moves to another country.


Authorities are not leaving any stone unturned. The temporary decrease in communications from the Netherlands since March is believed to have been due to the crackdown. In response to a media inquiry, the Netherlands Embassy in Tokyo said that it is unable to answer the question.


“As soon as they [bulletproofing hosting] are exposed, they move to another country,” explained Kimiya Kimura of NEC’s Cyber Security Strategy Division. “There are many rental companies, including those in Japan, that allow potentially shady usage for financial purposes.”


According to U.S. research firm Grand View Research, the global server rental-related market was worth $56.7 billion (about 6 trillion yen) in 2019. The market is expected to grow at about 15% a year in 2020 and beyond, but small businesses will suffer as the market share increases of cloud giants, such as in the U.S. and others.


Companies’ defensive measures are inadequate [in the face of scanning]. According to a survey released in May by U.S. security giant FireEye, 54% of companies missed scanning activities that mimicked an attack [in a simulated cyberattack]. Scanning is a precursor to an attack. Quickly detecting the signs of attack and preparing for it are important in protecting companies as the division of labor in cyberattack increase.

  • Ambassador
  • Ukraine
  • COVID-19
  • Trending Japan