A serious cybersecurity breach has come to light in Japan, where the country’s Ground Self-Defense Force (JGSDF) unknowingly used malware-infected USB drives on computers connected to classified military networks.
The incident lasted for nearly a year before anyone noticed. What makes this case especially alarming is not just the breach itself, but the fact that the military chose not to disclose it even after the threat was discovered.
The infected drives were counterfeit USB flash drives manufactured in China and sold at prices far lower than genuine products. They were distributed to the JGSDF during relief operations following a major earthquake in central Japan in March 2024.
At the time, routine security scans were supposed to be performed on all external storage devices, but those checks failed to catch the malware hidden inside these counterfeit sticks.
Investigators and analysts from Nikkei, who examined leaked internal military documents, found that the malware matched a strain previously documented by a U.S. cybersecurity company as linked to a China-backed hacking group.
Nikkei said in a report shared with Cyber Security News (CSN) that the investigation uncovered a significant gap between the JGSDF’s stated security protocols and how those protocols were actually followed in the field.
The infection went undetected until February 2025, when a soldier based in Itami, near Osaka, noticed that his computer was running unusually slowly.
A scan of the machine revealed a virus that had been operating quietly in the background.
By that point, more than 50 computers had connected to the infected drives, with nearly half of those systems used to handle classified information including details on troop movements.
What followed the discovery was just as troubling as the breach itself. Rather than alerting the public or issuing a broader warning, the JGSDF kept the incident internal.
This decision drew sharp criticism since similar counterfeit drives were still being sold online and had already spread to factories and research institutions across Japan, creating a wider risk than the military alone faced.
Nikkei Warns of Japan’s Ground Self-Defense Force Used USB Drives
The malware embedded in these counterfeit drives was designed to execute automatically as soon as the USB stick was inserted into a computer, requiring no additional action from the user.
Once active, the malware could run quietly in the background, potentially stealing sensitive data, monitoring user activity, or even corrupting system software entirely.
An internal review of the JGSDF incident revealed that six out of eight USB drives distributed during the 2024 earthquake relief effort contained the same malware.
The fact that the virus survived multiple mandated security scans suggests it may have been designed specifically to evade standard detection tools common in military environments. This kind of targeted evasion points to a well-resourced and sophisticated threat actor.
Scale of the Breach and What Comes Next
The scope of the breach extended well beyond the initial incident. Nikkei’s follow-up reporting found that the same type of counterfeit USB drives, carrying the same China-linked malware, had made their way into secure systems at factories and research institutions across Japan.
The drives were being sold cheaply through online retailers, making them accessible to a wide range of buyers who had no idea what they were purchasing.
In response to these findings, security experts recommend that organizations purchase storage devices only from verified and trusted vendors.
Unusually low-priced products from unknown sellers should be avoided, and all removable media should be validated and scanned on dedicated, isolated systems before being connected to any operational network.
These steps, if followed correctly, could prevent a similar incident from happening again.
The GSDF confirmed only that a USB drive acquired by the JGSDF Middle Army headquarters was found to contain malware in February 2025, stopping short of a fuller public disclosure.
The broader lesson here is that even routine, low-cost hardware can become a serious entry point for nation-state level threats when procurement and security protocols are not rigorously enforced.
