Initial Disclosure Date: Jan 7, 2013
Latest Update: May 13, 2013

Cyber-attacks suspected to have compromised Ministry of Agriculture, Forestry and Fisheries’ computers and forward over 3,000 documents to overseas. The documents include more than twenty classified ones on Trans-Pacific Partnership (TPP) negotiations, which the Japanese government is considering to join. The ministry first denied the possibility of information leak. However, at a press conference on January 8, Minister Yoshimawa Hayashi declared that the ministry would reinvestigate the case by establishing a committee with third-party experts. On January 11, the ministry admitted that they had confirmed at least one communication which may have led to information leak. The communication was reportedly done in October 2011 when Japan attracted global attention to if Tokyo expresses their final decision on joining TPP negotiations at the APEC summit meeting in November 2011.

The culprit is believed to have stolen documents made by the ministry between October 2011 and April 2012, probably targeting information on the Asia-Pacific Economic Cooperation summit in November 2011 and the Japan-US summit meeting in April 2012. More than twenty of the documents are classified, such as Japan’s roadmap for joining the TPP talks and the analysis of the consequences of a scenario that Japan defers its decision on whether to join them or not. They are categorized as the second of the three secret levels. It means that leak may result in violating citizens’ right or affect the government’s business.

Those classified documents were stored in the computers belonging to ministry officials in charge of international negotiations. However, the stolen data were gathered in a single computer and compressed in RAR to make transmission easy. According to ministry sources, the culprit executed a "find" command to search certain file or folders in the computers. Since the data was overwritten, the Japanese government has not found out when the searches began. At least, the culprit conducted a series of searches in November 2011 before the APEC summit meeting was held. Also, the culprit seems to have remotely manipulated Trojan horses-infected computers to collect information on the ministry’s network and systems. According to the investigation by the ministry, a server that communicated with the compromised computer has a South Korean IP address and the control screen used Hangul alphabets.

The culprit used a program named HTran to transfer files. The same program was used in the cyber espionage against the Ministry of Finance between 2010 and 2011.

According to Yomiuri Shimbun, the hacking is believed to have led to the leak of at least a dozen of documents prepared by the Ministry of Foreign Affairs (MOFA) between April 24th and 25th, 2012. They include drafts of the joint statement released after the summit meeting between Prime Minister Yoshihiko Noda and President Barack Obam on April 20, 2012, and drafts of Prime Minister’s statement. The drafts of the joint statement appear to be co-written by the MOFA and U.S. government. The newspaper argues that the Ministry of Agriculture had not notified the MOFA of the possible leak even though the ministry realized the possibility by last summer. ^(footnote:1)

On January 11, 2013, the Ministry of Agriculture, Forestry and Fisheries established a committee to investigate the cyber-attacks with a university professor, lawyer, and cybersecurity experts from the private industry. One of the committee members is from Hitachi. The committee asks for technical support from the Cyber Incident Mobile Assistant Team (CYMAT) under the National Information Security Center.

The committee held the first meeting of the ad-hoc committee on January 17. Given the nature of information security, it was a closed-door session except for the beginning when the media was allowed to take some photos. The Ministry and committee members agreed to follow the investigation policy below:

1) To investigate and analyze infected computers and C&C traffics, following advice of cybersecurity experts; and
2) To investigate if the ministry responded to this incident appropriately by interviewing and checking relevant documents and data.

The committee will investigate which information was leaked and if the ministry responded to this incident appropriately, based on communication records. The ministry is planning to release the result of the investigation as soon as possible after they check the content of the report from information security perspectives.

Sources:

1. Yomiuri Shimbun, “Nosui-sho saiba kogeki, Gaimu-sho bunsho mo ryushutsu ka [Cyber-attacks on the Ministry of Agriculture, Forestry and Fisheries seems to have led to the leak of documents prepared by the Ministry of Foreign Affairs],” May 10, 2013,
   http://www.yomiuri.co.jp/net/news0/national/20130510-OYT1T00006.htm?from=ylist

• Ida Torres, “Top secret trade documents stolen from farm ministry computers,” The Japan Daily Press, January 3, 2013,
  http://japandailypress.com/top-secret-trade-documents-stolen-from-farm-ministry-computers-0320796
• Yomiuri Shimbun, “Nosui kimitsu, saiba kogeki… TPP joho nado ryushutsu ka [Cyber-attacks on the Ministry of Agriculture to steal classified information on TPP],” January 1, 2013,
  http://www.yomiuri.co.jp/national/news/20121231-OYT1T00881.htm?from=ylist
• Yomiuri Shimbun, “Cyber-attack ‘stole secret trade info’,” January 3, 2013,
  http://www.yomiuri.co.jp/dy/national/T130102002295.htm
• Yomiuri Shimbun, “’TPP’ keyword in cyber-attack? / Culprit appears to have searched for term-specific information,” January 5, 2013,
  http://www.yomiuri.co.jp/dy/national/T130104003306.htm
• Yomiuri Shimbun, “Saiba kogeki, ryushutsu mitomenu Nosui-sho ni ‘amasugiru’ [The Ministry of Agriculture is too optimistic not to admit the cyber-attacks must have led to information leak],” January 7, 2013,
  http://www.yomiuri.co.jp/national/news/20130107-OYT1T00888.htm
• Nihon Keizai Shimbun, “Saiba kogeki de saichosa wo shiji Nosho [Minister for Agriculture ordered to reinvestigate the cyber-attacks on the ministry],” January 8, 2013,
  http://www.nikkei.com/article/DGXNASDG0801D_Y3A100C1CC0000/
• Ministry of Agriculture, Forestry and Fisheries, “Press Release: Norinsuisan-sho heno saiba kogeki ni kansuru chosa iinkai no secchi oyobi dai 1 kai iinkai no kaisai nit suite [Press Release: the establishment of a committee to investigate the cyber-attacks on the ministry and holding of the first meeting],” January 11, 2013,
  http://www.maff.go.jp/j/press/kanbo/hisyo/130111.html
• Yomiuri Shimbun, “Nosui saiba kogeki, TPP chumoku no koro ni husei tsushin [When TPP attracted attention, the cyber-attacks on the Ministry of Agriculture were launched],” January 11, 2013,
  http://www.yomiuri.co.jp/national/news/20130111-OYT1T00890.htm?from=popin
• Naoki Kiyojima and Hiroyuki Nemoto, “Nosui-sho ga saiba kogeki chosa no hatsukaigo, ‘zentsushin kiroku wo tettei kensho’ [The Ministry of Agriculture held the first meeting to investigate the cyber-attacks and they will ‘thoroughly check all the communication records’],” January 17, 2013, IT pro,
  http://itpro.nikkeibp.co.jp/article/NEWS/20130117/450104/?bpnet
• Ministry of Agriculture, Forestry and Fisheries, “Press Release: dai 1 kai Norinsuisan-sho heno saiba kogeki ni kansuru chosa iinkai no gaiyo nit suite [the overview of the first meeting by the committee to investigate the cyber-attacks on the Ministry of Agriculture],” January 22, 2013,
  http://www.maff.go.jp/j/press/kanbo/hisyo/130122.html