According to Nikkei, internal documents from Japan’s Ground Self-Defense Force show that a batch of counterfeit Chinese USB flash drives infected with malicious software was used within the force for nearly a year. Some were even connected to closed systems that handle highly sensitive information such as unit command orders. The incident was not discovered until February 2025, when personnel noticed abnormal computer performance.
Six infected USB drives accessed classified closed systems
The report states that in February 2025, personnel at the Ground Self-Defense Force’s Central Army Headquarters (Itami City, Hyogo Prefecture) noticed that computers were running significantly slower. An inspection revealed that USB drives connected to the computers were infected with malware. Six out of eight USB drives tested were found to contain the same malicious program.
The investigation showed that these USB drives had been connected to more than 50 of the 480 computers in the unit, nearly half of which belonged to closed internal networks used for processing highly sensitive command information.
Japan’s Ministry of Defense information systems are divided into open systems that can connect to the internet and closed systems that are completely isolated from external networks. Due to operational needs, USB drives are frequently used to transfer data between systems, making them an essential storage tool in daily operations.
Investigation: malware hidden in counterfeit Chinese USB drives; multiple security checks failed
The Ground Self-Defense Force’s Cyber Defense Unit, responsible for cybersecurity, analyzed the devices and found that the USB drives were counterfeit products made in China. Instead of the advertised flash memory chips, they used lower-cost, slower Micro SD cards, with malware embedded during production.
Success
You are now signed up for our newsletter
Success
Check your email to complete sign up
The investigation also found that although the drives were labeled as 1TB in capacity, their actual storage was only about 240GB, a common type of “capacity-expanded” counterfeit product.
Internal documents show that the USB drives were transferred from Ishikawa Prefecture to the Central Army Headquarters in March 2024 during disaster relief operations following the Noto Peninsula earthquake. The original procurement records can no longer be verified.
The Ground Self-Defense Force stated that computers and information systems normally undergo virus scanning and multi-layer authentication through account permissions. However, at the time, antivirus software did not include USB drives in its scanning scope, allowing the malware to remain undetected within the system for nearly a year, and rendering multiple security safeguards ineffective.
A Self-Defense Force official interviewed in May this year said it is still unclear why USB drives were excluded from virus scanning in the first place.
US cybersecurity firm: malware linked to Chinese state-linked hacker group
According to the report, a U.S. cybersecurity company assessed that the malware discovered had previously been used by Chinese hacking groups. The attack method involves using infected USB drives as a bridge for network intrusion; once the device is inserted into a computer, it can automatically infect the system and potentially steal data.
The group has previously targeted government institutions, educational organizations, and telecommunications companies in countries such as Vietnam and Australia. Japan’s Ground Self-Defense Force believes its attack range may now have expanded to Japan.
The Cyber Defense Unit responsible for the investigation also noted that counterfeit Chinese USB drives are still widely circulating through online marketplaces both inside and outside Japan, including major platforms such as Amazon and Rakuten. They are often sold at about half the market price. Many consumer reviews also report similar issues.
The report adds that industries such as healthcare, education, manufacturing, and finance also commonly use USB drives to transfer data between offline systems. As a result, such attacks may pose cybersecurity risks not only to the military but also to other critical sectors of Japanese society.
The Japanese government is currently promoting stronger proactive cyber defense measures and improved public-private information sharing. However, despite confirming the circulation of such counterfeit USB drives, the Ground Self-Defense Force had not previously disclosed the incident publicly.
The Public Affairs Office of the Japan Ground Staff Office stated that the infected USB drives were discovered in February 2025 and assessed as not having caused any actual system damage. It added that all units have now been instructed to strictly enforce virus scanning protocols to prevent similar incidents in the future.
