LOLCats and PC viruses - Japan gets a lesson in cybersecurity

The national police reboot their anti-hacker tactics after months of public ridicule from what appears to be a rogue hacker

National TV anchors struggle through explanations of the Tor anonymity network, while newspapers run detailed graphics on remote hacking software and the national police warn against using obscure online tools known as Syberian Post Offices.

Japan is in the midst of a cybercrime fix.

The public has been drawn in by the saga of what appears to be a lone hacker who slipped software onto the computers of innocents and used them to post fictional warnings of imminent mass murders at public schools and attacks against airplanes. He then spent months taunting authorities through emails to the national press.

After a public pursuit that included multiple false arrests, a taunting message that led to a memory card planted on the pink collar of a cat on a small island, and images posted online with their location data apparently tweaked to mislead authorities, police finally arrested suspect Yusuke Katayama, a 30-year-old slightly chubby IT worker, last week. Police seem confident they got the man responsible for it all, though some are still doubtful.

"It took so long, and it seemed as though the police were helpless to find him," said Yoji Ochiai, a lawyer and former public prosecutor who specializes in online crimes, and who also received emails from the hacker.

"This can be thought of as a major lesson for the police."

The more colorful bits of the story have trickled out through the Western media in short bytes of hacker comedy -- bungling police arrest and question the wrong guy, four times; online videos of the cat rubbing up against the legs of reporters -- but industry watchers say the ordeal has triggered real change. The public humiliation has forced Japan's National Police Agency (NPA), whose role is similar to organizations like the Federal Bureau of Investigation in the U.S., into swiftly adopting a number of reforms.

"The police made the false arrests based on the IP addresses of computers that accessed the public forums, that was the standard," said Yoshimi Usui, the director of RIIS, the Research Institute of Information Security.

"It seems they didn't even know that anonymizer tools existed."

Previous incidents have been far more serious -- the Sony gaming network hack in 2011, stolen secrets from military contractors and the space agency, online break-ins at parliament -- but nothing has captured the country's attention quite like this.

The events that led up to the arrest started in June of last year, when messages of mass killings and public attacks began appearing in online postings. After authorities arrested and released the wrong suspects, the hacker, who police now say is Katayama, chided them through emails to the press, including one that led them to the memory card on the cat. The card contained a copy of a powerful program authorities believe Katayama created and employed, which allowed him to anonymously control remote computers and make the postings.

The national press have covered each new development in detail. Police have felt pressure and responded with uncharacteristic speed.

In December the NPA offered ¥3 million (US$32,000) for information about the individual behind the high jinks, its first-ever reward for a hacker. The agency's wanted posters, ever-present in Japanese train stations and post offices, usually feature a blurry image of a hooded figure, snipped from security camera footage, with a list of crimes and birthmarks. But the hacker poster was something new - its only picture is a pair of cartoon hands on a laptop, followed by a long block of text detailing technical skills including C# programming and the use of a "Syberian Post Office," a tool for making online postings anonymously.

Earlier this month, before the latest arrest, the NPA released an "emergency program" for battling cybercriminals, specifically mentioning its failures in the hacking case as motivation. New measures include police officials "joining hacking communities" and forming relationships with hackers to glean information, as well as figuring out how to peg criminals who use tools like Tor.

It is still unclear if police have their man in Katayama, though officials have said they possess irrefutable proof. He has steadfastly denied being the mastermind behind the cyberattacks, citing his lack of ability as proof.

"If you compare the skills of the 'actual criminal' and Katayama, it's obvious he is far more talented than Katayama. It is clear if you look at Katayama's abilities that he is not the criminal here," the suspect's lawyer told reporters.

The program used to take control of remote computers and post threats online, "iesys.exe," was custom-built in the C# programming language, and has been painstakingly analyzed by authorities. The Tokyo Metropolitan Police Department has taken the rare step of posting detailed descriptions of the software, including the classes and variables used in its source code.

"Detailed information about this virus has been made public with the intention of encouraging the public to provide further information about it," reads a special section of the department's Web page devoted to the virus.

Once it had infected a computer, the software hid in the background and periodically checked free online bulletin boards on a Japanese portal, "livedoor," for commands from its controller. These included instructions to turn keylogging on and off, upload and download files, and post messages to other bulletin boards.

Authorities have discovered multiple versions of the Windows program in the wild, according to reports, and those who have analyzed them say they are complex and unique. Security firm Trend Micro has rated the code's "damage potential" as high, and says users must manually modify their computers' registries to get rid of it.

The complexity of the program, and the meticulous way it was developed, appear to contrast with Katayama's actions in the months when he was allegedly toying with Japan's national police. Authorities have said he occasionally failed to anonymize his Internet activities, and traced him to the online purchase of a small figurine that later appeared in a photo he sent to newspapers.

The FBI cooperated with Japanese police and provided the contents of a Dropbox account used by the suspect, the contents of which included a copy of the "iesys.exe" virus, according to the Nikkei business newspaper.

If Katayama does turn out to be the mastermind behind the program and the one that made threats online, it appears police caught a break in their first public duel with a hacker of his stature. One of their main leads was decidedly low tech -- video footage of him caught by a security camera on Enoshima, the small island where he allegedly planted the memory card on a local cat.

"It appears that he wanted to show off and went too far. If this is true then the police were fortunate he did so, because they probably wouldn't have found him otherwise," said Ochiai.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitygovernment

More about DropboxFBIFederal Bureau of InvestigationSonyTrend Micro Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jay Alabaster

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place