Initial Disclosure Date: Jul 10, 2013

On April 18, 2013, the Japan Aerospace Exploration Agency (JAXA) found out that somebody had hacked into a server connected to the Internet during its periodic inspection. ^(footnote:1)

According to a press release by the JAXA dated July 2nd, the culprit hacked into five information systems between April 13th and 22nd, using a legitimate ID and password. As a result, the attacker stole technical information on the Japanese Experiment Module KIBO and H-II Transfer Vehicle KONOTORI for the International Space Station as well as email addresses of JAXA officials. ^(footnote:2)

After April 13th, brute force attacks were launched against the information system of a JAXA section that runs KIBO via China and the United States. ^(footnote:3) They successfully stole some information, which includes an ID and a password of a JAXA official. The culprit used them to hack into the other four information systems. ^(footnote:4)

The JAXA decided to reconstruct the information system for KIBO and KONOTORI to prevent this type of incident. The Agency will also introduce a multi-layered security system, enhance their information security, and provide information security education with their officials. ^(footnote:5)

While the 2013 incident used brute force attacks, a 2011 incident against the JAXA used a business card of a JAXA official to send a phishing email. In March 2011 right after the Great East Japan Earthquake, an official who works at the JAXA Tsukuba Space Center received an email named “Flash Report on the Earthquake.” He immediately opened the attached PDF file and ended up with malware infection. ^(footnote:6)

In fact, the black market is growing to deal with business cards of researchers who work at a major company or research institute, which is often targeted by Advanced Persistent Threats. Yet, since the Japanese government decreases funding for researches, scholars have to hand out a lot of business cards to sell their name and research. This situation makes it difficult for them to give up putting their email address on their business card. ^(footnote:7)

Sources:

1. JAXA, “Press Release: JAXA no saba ni taisuru gaibu kara no husei akusesu nit suite [Press Release: hacking into the JAXA server],” April 23, 2013,
   http://www.jaxa.jp/press/2013/04/20130423_security_j.html
2. JAXA, “Press Release: JAXA no saba ni taisuru gaibu kara no husei akusesu ni kansuru chosa kekka nit suite [Press Release: results of the investigation regarding the hacking into the JAXA server],” July 2, 2013,
   http://www.jaxa.jp/press/2013/07/20130702_security_j.html
3. Kyodo News, “Pasuwado more ga joho ryushutsu genin ka JAXA chosa kekka [JAXA’s investigation results: the theft of a password led to information leak?],” July 2, 2013,
   http://www.nikkei.com/article/DGXNASDG02047_S3A700C1CC1000/
4. Internet Watch, “JAXA husei akusesu no chosa kekka hokan shiteita shokuin no ID pasuwado joho ryushutsu mo [JAXA’s investigation results: theft of IDs and passwords of JAXA officials],” July 2, 2013,
   http://internet.watch.impress.co.jp/docs/news/20130702_606061.html
5. JAXA, “Press Release: JAXA no saba ni taisuru gaibu kara no husei akusesu ni kansuru chosa kekka nit suite [Press Release: results of the investigation regarding the hacking into the JAXA server],” July 2, 2013,
   http://www.jaxa.jp/press/2013/07/20130702_security_j.html
6. SankeiBiz, “Saiba wozu saizensen no katto (2)] Meishi ura torihiki nerawareru kenkyusha [Cyber Wars  front-line struggles (2): black market of researchers’ business cards],” May 23, 2013,
   http://www.sankeibiz.jp/business/news/130523/bsj1305230502000-n1.htm
   http://www.sankeibiz.jp/business/news/130523/bsj1305230502000-n2.htm
7. SankeiBiz, “Saiba wozu saizensen no katto (2)] Meishi ura torihiki nerawareru kenkyusha [Cyber Wars  front-line struggles (2): black market of researchers’ business cards],” May 23, 2013,
   http://www.sankeibiz.jp/business/news/130523/bsj1305230502000-n1.htm
   http://www.sankeibiz.jp/business/news/130523/bsj1305230502000-n2.htm

• * Each company name, an organization name, and a brand name are a trade name of each company and each organization, or a registered trademark.