Nikkei Warns of Japan’s Ground Self-Defense Force Used USB Drives Infected with a China-linked Malware

HomeCyber Security News Nikkei Warns of Japan’s Ground Self-Defense Force Used USB Drives Infected with a China-linked Malware By Tushar Subhra Dutta June 26, 2026 A serious cybersecurity breach has come to light in Japan, where the country’s Ground Self-Defense Force (JGSDF) unknowingly used malware-infected USB drives on computers connected to classified military networks. The incident lasted for nearly a year before anyone noticed. What makes this case especially alarming is not just the breach itself, but the fact that the military chose not to disclose it even after the threat was discovered. The infected drives were counterfeit USB flash drives manufactured in China and sold at prices far lower than genuine products. They were distributed to the JGSDF during relief operations following a major earthquake in central Japan in March 2024. At the time, routine security scans were supposed to be performed on all external storage devices, but those checks failed to catch the malware hidden inside these counterfeit sticks. Investigators and analysts from Nikkei, who examined leaked internal military documents, found that the malware matched a strain previously documented by a U.S. cybersecurity company as linked to a China-backed hacking group.  Nikkei said in a report shared with Cyber Security News (CSN) that the investigation uncovered a significant gap between the JGSDF’s stated security protocols and how those protocols were actually followed in the field. The infection went undetected until February 2025, when a soldier based in Itami, near Osaka, noticed that his computer was running unusually slowly. A scan of the machine revealed a virus that had been operating quietly in the background. By that point, more than 50 computers had connected to the infected drives, with nearly half of those systems used to handle classified information including details on troop movements. What followed the discovery was just as troubling as the breach itself. Rather than alerting the public or issuing a broader warning, the JGSDF kept the incident internal. This decision drew sharp criticism since similar counterfeit drives were still being sold online and had already spread to factories and research institutions across Japan, creating a wider risk than the military alone faced. Nikkei Warns of Japan’s Ground Self-Defense Force Used USB Drives The malware embedded in these counterfeit drives was designed to execute automatically as soon as the USB stick was inserted into a computer, requiring no additional action from the user. Once active, the malware could run quietly in the background, potentially stealing sensitive data, monitoring user activity, or even corrupting system software entirely. An internal review of the JGSDF incident revealed that six out of eight USB drives distributed during the 2024 earthquake relief effort contained the same malware. The fact that the virus survived multiple mandated security scans suggests it may have been designed specifically to evade standard detection tools common in military environments. This kind of targeted evasion points to a well-resourced and sophisticated threat actor. Scale of the Breach and What Comes Next The scope of the breach extended well beyond the initial incident. Nikkei’s follow-up reporting found that the same type of counterfeit USB drives, carrying the same China-linked malware, had made their way into secure systems at factories and research institutions across Japan. The drives were being sold cheaply through online retailers, making them accessible to a wide range of buyers who had no idea what they were purchasing. In response to these findings, security experts recommend that organizations purchase storage devices only from verified and trusted vendors. Unusually low-priced products from unknown sellers should be avoided, and all removable media should be validated and scanned on dedicated, isolated systems before being connected to any operational network. These steps, if followed correctly, could prevent a similar incident from happening again. The GSDF confirmed only that a USB drive acquired by the JGSDF Middle Army headquarters was found to contain malware in February 2025, stopping short of a fuller public disclosure. The broader lesson here is that even routine, low-cost hardware can become a serious entry point for nation-state level threats when procurement and security protocols are not rigorously enforced. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News FBI Warns Cybercriminals Use Traffic Distribution Systems to Redirect Users to Fraudulent Websites Rust macOS Backdoor Uses Interactive Shell and Telegram File Uploads for Data Theft Fake Income Tax Assessment Notice Delivers RAT-Like Malware to Windows Users Cordyceps Supply Chain Flaw Impacting Code Repositories at thousands of Organizations GhostShell Malware Uses mTLS Implant and Telegram Dead-Drop to Target Ukrainian Drone Operations Latest News Cyber Security News KuinaExtractor Uses Telegram Exfiltration, UAC Bypass, and Sandbox Detection for Stealth Cyber Security News CL-STA-1062 Hackers Use TinyRCT Backdoor to Target Southeast Asian Governments Cyber Security News Miasma Malware Uses binding.gyp and Bun to Execute Hidden Payloads in npm Packages Cyber Security News Minecraft Malware Loader Uses RSA-Signed Smart Contract Updates for Persistent C2 Cyber Security CISA Warns of Cisco Unified CM Vulnerability Exploited in Attacks