Japan's Ground Self-Defense Force (JGSDF) reportedly used counterfeit USB flash drives infected with malware linked to previously identified Chinese threat activity on computers connected to sensitive military networks for nearly a year before the devices were discovered.
According to a Nikkei investigation based on leaked internal documents, the incident affected more than 50 computers, including systems used for classified command-and-control operations.
The malware was reportedly discovered in February 2025 after personnel at the JGSDF's Middle Army headquarters in Itami, near Osaka, noticed a computer running unusually slowly. An examination of a recently inserted USB drive revealed malware, prompting a wider internal investigation into removable media used within the organization.
According to the leaked documents cited by Nikkei, investigators identified six infected USB drives. Of approximately 480 computers examined during the investigation, more than 50 had at some point been connected to one of the compromised devices. Nearly half of those systems were reportedly connected to isolated networks handling highly classified information, including unit command-and-control data.
The investigation concluded that the USB drives were counterfeit products manufactured in China. Rather than containing standard flash memory chips, the devices reportedly used inexpensive microSD cards as their storage medium. They also falsely advertised a capacity of 1 TB while actually providing only about 240 GB of usable storage, a common characteristic of counterfeit storage devices sold through online marketplaces.
Internal records reportedly indicate that the regional headquarters received eight USB drives during disaster relief operations following the January 2024 Noto Peninsula earthquake. The drives were transferred from Ishikawa Prefecture in March 2024, although investigators were reportedly unable to determine how they had originally been procured. Six of the eight drives were found to contain the same malware.
The leaked documents also indicate that several security controls failed to detect the threat. While the JGSDF reportedly performs antivirus scans both during procurement and when USB devices are used, the compromised drives had been excluded from scans performed by endpoint security software for reasons that investigators could not determine. As a result, the malware remained undetected for nearly a year while the drives continued to be used.
According to Nikkei, the malware matched a strain previously documented by a US cybersecurity company as used by a China-linked hacking group. The report states that the malware executes automatically when an infected USB drive is inserted into a computer.
Although the JGSDF was aware that comparable products continued to be sold online, Nikkei reports that it did not publicly disclose the broader risk at the time. In a statement cited by the publication, the Ground Self-Defense Force confirmed only that “in February 2025, a USB drive acquired by the JGSDF Middle Army headquarters was found to contain malware.”
It is recommended to purchase storage devices only from trusted vendors, avoid unusually inexpensive products from unknown sellers, validate storage capacity before deployment, and scan removable media on dedicated systems before connecting them to operational networks.
Leave a Reply