{ "id": "bcaf7045-20be-4e46-a1ed-cfa1df3e40fb", "created_at": "2026-04-06T00:15:58.3738Z", "updated_at": "2026-04-10T03:36:37.030042Z", "deleted_at": null, "sha1_hash": "d0b0eb91c5ec2b3c3dcc356a63b973f2999972ee", "title": "Zooming into Darknet Threats Targeting Japanese Organizations", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2014814, "plain_text": "Zooming into Darknet Threats Targeting Japanese Organizations\r\nBy Victoria Kivilevich, KELA Cyber Team, KELA Cyber Team\r\nPublished: 2020-11-18 · Archived: 2026-04-05 22:21:37 UTC\r\nBy Victoria Kivilevich\r\nEdited by KELA Cyber Team\r\nUpdated November 18, 2020\r\nIn light of rising cyberattacks and ahead of the 2021 Tokyo Games, Japan is investing in cybersecurity efforts,\r\nwith one of them being the establishment of a government entity dubbed the Digital Agency. The decision follows\r\nrecent fraud involving Japanese bank accounts linked to cashless payments services, which could be achieved by\r\nbrute-forcing, using compromised credentials to banking accounts or via other attack vectors. Attacks on the\r\nbanking infrastructure is just a part of threats targeting Japanese organizations, recently explored by KELA. They\r\ninclude:\r\nLeaked data and compromised accounts. KELA detected that data belonging to Japanese corporations,\r\nas well as government and educational entities, is actively circulating in the darknet and being demanded\r\nhttps://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/\r\nPage 1 of 13\n\nby threat actors. This data can be used to gain initial network accesses, i.e. entry points to targeted\r\nnetworks.\r\nInitial network accesses. KELA observed several Japanese compromised companies, ranging from\r\ncorporations to universities, including one Japan ministry target during June-October 2020. These accesses\r\ncan be leveraged to eventually deploy ransomware.\r\nRansomware incidents. KELA detected at least 11 Japanese victims of ransomware attacks in June-October 2020. The affected companies are from manufacturing, construction and government-related\r\nindustries, with top victims having around $143 billion, $33 billion and $2 billion yearly revenue.\r\nLeaked Data and Compromised Accounts: Demand for Japanese Companies\r\nAmong the most prominent threats on the darknet, KELA observed leaks and sales of Japanese entities’\r\ndata. While many offers are related to regular users, some actors are specifically looking for corporate data\r\nof Japanese organizations.\r\nA threat actor requesting for corporate emails in Asian countries, including Japan\r\nhttps://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/\r\nPage 2 of 13\n\nA threat actor requesting for fresh Japan databases. During several days, he received three answers from potential\r\nsellers asking for contacts to probably make a deal\r\nExposed data may include personal information of companies’ customers and employees, sensitive internal\r\ndocuments, and credentials to the company’s resources. For example, the KelvinSecurityTeam hacking group has\r\nbeen trading a database of a major Japan corporation since July 2020. It has been recently promoted again as a\r\npart of their offers.\r\nThe threat actor claimed that the database contains records of 150,000 customers, possibly Japanese ones. As\r\nKELA observed from samples of the database, the records include names, addresses, birth dates, emails, and\r\nphone numbers, as well as some data related to their work history. KelvinSecurityTeam is a hacking collective\r\nwith some members from Venezuela, Peru, and Colombia, which is known for selling hacking tools, carding\r\nservices, and private data dumps on forums.\r\nhttps://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/\r\nPage 3 of 13\n\nWhile personal information and internal documents require malicious actors to perform multiple steps to\r\nattack the company further (for example, via specially-crafted phishing campaigns), exposed credentials\r\nprovide an easier way to compromise the company via accessing its internal systems and software in use.\r\nExposed credentials can be divided into two types:\r\nLeaked credentials. Corporate email logins, with or without passwords, which are usually being leaked or\r\nsold by threat actors on underground forums. Overall, KELA discovered more than 100 million exposed\r\nJapanese emails in our sources.\r\nCompromised accounts. Logins and passwords to accounts that grant access to tools and software used in\r\na compromised environment, such as RDP, VPN solutions, and more, which are usually being sold through\r\nunderground autoshops.\r\nhttps://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/\r\nPage 4 of 13\n\nTop 10 email domains featured in leaked credentials gathered by KELA’s tools from cybercrime communities.\r\nPart of compromised accounts offered in autoshops (shown within KELA’s DARKBEAST)\r\nThis data can enable attackers to access the company’s resources and provide further malicious activity, ranging\r\nfrom social engineering to malware attacks. Ultimately, every leaked data can theoretically become an entry\r\npoint for large-scale attacks.\r\nhttps://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/\r\nPage 5 of 13\n\nBased on information gathered from multiple darknet sources that KELA tracks, we defined that many Japanese\r\ncorporations, as well as government and educational entities, are suffering significantly from these types of\r\nthreats:\r\nNetwork Accesses: Entry Points to Japanese Networks for Ransomware Attackers\r\nhttps://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/\r\nPage 6 of 13\n\nInitial network accesses, offered on underground forums, can serve as entry points for ransomware operators and\r\nother malicious actors looking for a foothold from where they can move laterally and deploy ransomware or steal\r\nintellectual property. Over the last three months, KELA observed several accesses to Japanese organizations being\r\nsold in the darknet. While overall numbers are lower than other countries like the US, considering the scale of\r\ninitial network accesses’ sales, each of these accesses can be turned into millions of ransom demanded by\r\nbuyers who would manage to leverage them to infect the victims with ransomware.\r\nThe most dangerous offer appears to be related to a remote code execution vulnerability in the Japanese Ministry\r\nof Justice network. According to a threat actor who posted the offer for 210,000 JPY, exploiting this vulnerability\r\ncould grant NT Authority/System privileges, meaning a high level of permissions.\r\nAnother access on sale during the last months allegedly belonged to a “Japan ship inspection network” and had\r\ndomain admin level privileges, which enables attackers to perform malicious actions on behalf of the targeted\r\nnetwork’s administrator. It was offered for 157,000 JPY. Interestingly, one week later, the Sodinokibi (REvil)\r\nransomware gang attacked a victim which appears to be the same company based on the description on the\r\nvictim’s website — “certification body of ship equipment.” However, it’s not known if the two incidents were\r\nrelated. Ransomware operators usually wait for negotiations deadlines to expire before exposing a victim on\r\ntheir blogs, so it’s hardly possible they would manage both to attack the victim and lose patience for one\r\nweek.\r\nAccess to the Japanese “ship inspection network” offered for sale\r\nhttps://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/\r\nPage 7 of 13\n\nSodinokibi’s victim\r\nAmong other offers, KELA observed access to a Japanese medical university being offered for 105,000 JPY. The\r\nexample highlights that despite the pandemic and the disapproval of some members of the underground\r\ncommunity, many actors continue to target the healthcare industry, as well as the education sector.\r\nRansomware Incidents: (At Least) Seven Gangs Targeting Japanese Organizations\r\nDuring June-October 2020, at least 11 Japanese victims suffered ransomware attacks (based on the media\r\nreports and data on ransomware gangs’ “naming-and-shaming” portals used to threaten victims, monitored by\r\nKELA technology), with the most well-known victims being Honda and Canon.\r\nhttps://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/\r\nPage 8 of 13\n\nThe most active ransomware gang targeting Japanese entities appears to be the DoppelPaymer gang. The\r\nDoppelPaymer ransomware emerged in 2019 and is believed to have links with former members of the TA505\r\nhacking group. This group has recently attacked four large Japanese companies from the construction, automotive\r\nand manufacturing industries, including a corporation with $1 Billion in revenue, as well as a German subsidiary\r\nof a leading manufacturer of specialty paper in Japan. Interestingly, one of the victims of DoppelPaymer was later\r\nclaimed to be attacked by Conti, a new ransomware operation that started in August 2020 and believed to be\r\nassociated with the Ryuk ransomware.\r\nDoppelPaymer’s leak blog featuring a Japanese manufacturing company with $153 million revenue\r\nOther ransomware gangs spotted attacking Japanese entities are well-known Maze, Sodinokibi and Ekans (Snake),\r\nand two ransomware operations that have recently adopted a tactic of public shaming – Egregor and LockBit.\r\nhttps://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/\r\nPage 9 of 13\n\nMaze’s leak site featuring a full dump of stolen documents belonging to a Japanese manufacturing company\r\nNot much is known about initial infection vectors used to compromise networks of Japanese victims. However,\r\nit’s clear that the attack surface is expanding due to COVID-19-related issues and increasing trend for remote\r\nworking, meaning that more and more employees are using vulnerable software and exposed credentials to access\r\ncorporate networks remotely.\r\nhttps://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/\r\nPage 10 of 13\n\nBusiness enterprises in Japan that implemented home office for employees after the outbreak of COVID-19\r\n(source: Statista)\r\nFor example, one Japanese victim, a manufacturing company, was probably attacked by LockBit using exploit\r\ncode for a Pulse Secure vulnerability (CVE-2019-11510). The clue stems from the fact that the company’s IP\r\naddress was included in a leak posted on a cybercrime community containing details and credentials of over 900\r\nenterprise Pulse Secure servers exploited by threat actors.\r\nThe victim was first shared by LockBit in their thread on a Russian-speaking underground forum with a domain\r\nthat had a Chinese TLD, which could indicate it is a Chinese branch that was attacked. When LockBit started their\r\nblog a few days later, the victim appeared there without domains mentioned.\r\nhttps://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/\r\nPage 11 of 13\n\nThe Pulse Secure leak, for which additional directories were shared several days later, possibly affects\r\nabout 117 Japanese entities, based on KELA’s analysis of the IP addresses. Darknet chatter on the matter\r\nshows that this information has been circulated between malicious actors before the leak that happened in\r\nAugust 2020. Therefore, credentials to affected Japanese organizations’ Pulse Secure servers could be used by\r\ndifferent actors in their malicious campaigns, including ransomware attacks.\r\nhttps://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/\r\nPage 12 of 13\n\nPart of Japanese entities contained in the Pulse Secure leak (KELA’s document based on the leaked directory)\r\nConclusions and Mitigation Efforts\r\nAs can be concluded from this research, more and more threat actors, Advanced APT group and nation state actors\r\nare considering Japanese organizations as valuable targets and are actively attacking them via opportunistic and\r\ntargeted attacks.\r\nGiven the latest “work from home” trend and the increased attack surface, KELA has observed many commercial\r\nand governmental Japanese entities being recently attacked by known actors – from ransomware gangs to nation-state actors and other financially motivated groups. They’re using multiple attack vectors aimed to compromise\r\nJapanese entities, gain a foothold into their network and steal sensitive information and funds.\r\nKELA strongly believes that real-time monitoring of darknet communities for both supply and demand can hold\r\nsignificant intelligence value for Japanese defenders. It enables Japanese entities to be more proactive to threats,\r\nlearn about new tactics used by malicious actors, and take measures to protect against them.\r\nIn our next blog post, we will cover the Japanese financial ecosystem and the opportunities threat actors see in\r\ntargeting both the consumer and the organizations’ sides.\r\nSource: https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/\r\nhttps://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/" ], "report_names": [ "zooming-into-darknet-threats-targeting-jp-orgs-kela" ], "threat_actors": [ { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434558, "ts_updated_at": 1775792197, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d0b0eb91c5ec2b3c3dcc356a63b973f2999972ee.pdf", "text": "https://archive.orkl.eu/d0b0eb91c5ec2b3c3dcc356a63b973f2999972ee.txt", "img": "https://archive.orkl.eu/d0b0eb91c5ec2b3c3dcc356a63b973f2999972ee.jpg" } }