Cyber Incident Victim: Government of Japan

Between 2014 and 2019, multiple advanced persistent threat (APT) groups conducted sustained cyberespionage campaigns against Japanese organizations by exploiting vulnerabilities in region-specific software. APT17 initiated attacks leveraging a zero-day exploit (CVE-2014-0810) in Sanshiro, a discontinued Japanese spreadsheet application still widely used domestically. Attackers distributed malicious documents via spearphishing emails, triggering arbitrary code execution upon opening in Sanshiro to deploy the PlugX remote access trojan (RAT). Concurrently, a campaign dubbed Blue Termite targeted Ichitaro word processing software using another zero-day (CVE-2014-7247), delivering PlugX alongside Emdivi and Agtid malware designed for file exfiltration. These campaigns impacted over 100 Japanese organizations, including government agencies, educational institutions, and vertical industry entities, with malicious activity persisting through April 2019.

A third campaign attributed to Bronze Butler exploited SkySea Client View, an enterprise asset-management tool, through vulnerability CVE-2016-7836. This attack chain delivered NodeRAT—a JavaScript backdoor running on Node.js—and the Wali downloader, enabling lateral movement and data theft. Researchers from JPCERT observed consistent attacker methodologies across campaigns, including reuse of command-and-control infrastructure for PlugX variants and adaptation of new exploits as vulnerabilities were patched. The campaigns demonstrated systematic network infiltration targeting weakly defended regional software, with Bronze Butler operations continuing through February 2019 and linking to a separate April 2019 attack exploiting Trend Micro’s Virus Buster Corporate Edition. Analysis confirmed all operations followed classic APT objectives of persistent access, lateral movement, and sensitive data exfiltration from high-value Japanese entities over multiyear periods.