Leaked internal documents have revealed that for nearly a year Japan’s Ground Self-Defense Force (JGSDF) used counterfeit USB flash drives infected with malware on computers connected to sensitive military networks. The USB drives have been linked to Chinese hacking operations, according to an investigation by Nikkei Asia.
Nikkei Asia reports that the poisoned flash drives were delivered to the JGSDF in March 2024, during disaster relief operations following an earthquake in central Japan. Via this route they were able to enter military use without having passed through standard procurement channels.
The malware was discovered in February 2025, after personnel at JGSDF’s Middle Army headquarters in Itami, near Osaka, noticed a computer running unusually slowly. Subsequent investigations found that six out of eight USB drives tested contained the same malicious code.
The infected USB drives had been attached to over 50 computers, with nearly half of those systems used to handle classified data, including information about the movement of troops.
Investigators matched the malware to a strain previously documented by an unnamed US cybersecurity firm, which had linked it to a Chinese hacking group. Neither the malware family nor the hacking group has been publicly named in reports.
Japan’s Defense Ministry has downplayed the threat, with a spokesperson saying:
“The malware was a legacy type one limited to self-replication behaviour and did not perform information exfiltration or external communication.”
Adding to the confusion, the Epoch Times reports that a spokesperson for the Ishikawa Prefectural Government – which had been alleged in the leaked internal documents to have provided the USB drives to the JGSDF during the 2024 earthquake relief effort – said that “we could not confirm any record of procuring the USB drives or paying for their purchase.”
With neither the prefecture nor the military able to produce a paper trail, the origin of the counterfeit drives remains a mystery, raising further questions about how easily compromised hardware can slip into sensitive environments when normal processes are bypassed during an emergency.
Nikkei Asia says that the threat posed by the infected drives extends beyond the JGSDF. USB flash drives preloaded with the same malware have been sold across major online retail platforms, and infections have been seen at factories and research facilities across multiple industries in Japan. The counterfeit drives, priced 30 to 50 percent below authentic brands, were traced to seller accounts in China.
According to Nikkei Asia, the JGSDF did not disclose the infection within its network, despite the counterfeit drives remaining widely available for purchase online. The Defense Ministry says it is continuing to investigate the circumstances surrounding acquisition of the drives and intends to enforce mandatory virus-scanning safeguards.
Regular readers of Hot for Security will be well aware of the threat posed by pre-infected USB drives, where malware can hide until a user inserts it into their computer.
Clearly organisations need to check that they are only buying storage devices from verified and trusted vendors, and treat products selling for a suspiciously low price with caution.
Furthermore, it would be wise to scan removable media on a dedicated isolated system prior to connecting it to any corporate network. In addition, computers should have any autorun or autoplay functionality disabled to prevent malicious code on a USB drive from being automatically activated upon attachment.