Japan's Ground Self-Defense Force (JGSDF) used malware-infected counterfeit USB drives on sensitive military networks for nearly a year before detection in February 2025. The compromised drives, linked to Chinese hacking operations, infected over 50 computers at JGSDF facilities, with nearly half of those systems used to handle classified information including troop movements. Personnel at the Middle Army headquarters in Itami discovered the infection after noticing unusually slow computer performance, prompting an investigation that found six of eight tested USB drives contained identical malicious code.
The infected drives entered military use through an unusual route during March 2024 earthquake relief operations in central Japan, bypassing standard procurement channels entirely. Neither the JGSDF nor the Ishikawa Prefectural Government, which allegedly provided the drives, can produce purchase records or payment documentation. This lack of paper trail highlights how emergency situations can create security vulnerabilities when normal vetting processes are suspended. Investigators matched the malware to a strain previously documented by a US cybersecurity firm and attributed to a Chinese hacking group, though neither the malware family nor the specific threat actor has been publicly identified.
Japan's Defense Ministry has characterized the threat as limited, stating the malware was a legacy type restricted to self-replication without information exfiltration or external communication capabilities. However, the infection scope extends beyond military networks. The same counterfeit drives, priced 30-50% below authentic brands, have been sold across major online retail platforms and caused infections at factories and research facilities throughout multiple Japanese industries. Seller accounts traced to China continue offering these compromised devices despite the known security risks.
The incident affected systems handling classified data about troop movements and other sensitive military information. While the Defense Ministry downplays the immediate threat based on the malware's limited functionality, the breach demonstrates how easily compromised hardware can penetrate secure environments. The counterfeit drives remained widely available for purchase online even after the JGSDF discovered the infection, and the military did not publicly disclose the compromise.
Organizations should implement several protective measures against pre-infected USB drives. Purchase storage devices exclusively from verified and trusted vendors, treating suspiciously low-priced products with caution. Scan all removable media on dedicated isolated systems before connecting to corporate networks. Disable autorun and autoplay functionality on all computers to prevent automatic execution of malicious code when USB drives are attached. The JGSDF is continuing its investigation and plans to enforce mandatory virus-scanning safeguards for all storage devices.
Source: https://www.bitdefender.com/en-us/blog/hotforsecurity/usb-drives-carrying-china-linked-malware-infected-japanese-military-networks-for-nearly-a-year