Japan Ground Self-Defense Force Used Counterfeit USB Drives Infected with China-Linked Malware for Nearly a Year

Japan's Ground Self-Defense Force (JGSDF) unknowingly used counterfeit USB flash drives infected with malware linked to a China-backed hacking group during earthquake relief operations in March 2024, according to an investigation by Nikkei. The breach went undetected for nearly a year, infecting over 50 computers, nearly half of which handled classified troop movement data. The JGSDF kept the incident internal even after discovery, drawing sharp criticism as the same counterfeit drives continued to spread to factories and research institutions across Japan.

The infected drives were counterfeit USB flash drives manufactured in China and sold at prices far lower than genuine products. They were distributed to the JGSDF during relief operations following a major earthquake in central Japan in March 2024. Routine security scans were supposed to be performed on all external storage devices, but those checks failed to catch the malware hidden inside these counterfeit sticks.

The malware was designed to execute automatically as soon as the USB stick was inserted into a computer, requiring no additional action from the user. Once active, the malware could run quietly in the background, potentially stealing sensitive data, monitoring user activity, or corrupting system software. An internal review revealed that six out of eight USB drives distributed during the earthquake relief effort contained the same malware. The fact that the virus survived multiple mandated security scans suggests it may have been designed specifically to evade standard detection tools common in military environments.

Investigators and analysts from Nikkei, who examined leaked internal military documents, found that the malware matched a strain previously documented by a U.S. cybersecurity company as linked to a China-backed hacking group. The infection went undetected until February 2025, when a soldier based in Itami, near Osaka, noticed that his computer was running unusually slowly. A scan of the machine revealed a virus that had been operating quietly in the background. By that point, more than 50 computers had connected to the infected drives, with nearly half of those systems used to handle classified information including details on troop movements.

What followed the discovery was just as troubling as the breach itself. Rather than alerting the public or issuing a broader warning, the JGSDF kept the incident internal. This decision drew sharp criticism since similar counterfeit drives were still being sold online and had already spread to factories and research institutions across Japan, creating a wider risk than the military alone faced. The GSDF confirmed only that a USB drive acquired by the JGSDF Middle Army headquarters was found to contain malware in February 2025, stopping short of a fuller public disclosure.

The scope of the breach extended well beyond the initial incident. Nikkei's follow-up reporting found that the same type of counterfeit USB drives, carrying the same China-linked malware, had made their way into secure systems at factories and research institutions across Japan. The drives were being sold cheaply through online retailers, making them accessible to a wide range of buyers who had no idea what they were purchasing.

In response to these findings, security experts recommend that organizations purchase storage devices only from verified and trusted vendors. Unusually low-priced products from unknown sellers should be avoided, and all removable media should be validated and scanned on dedicated, isolated systems before being connected to any operational network. The broader lesson here is that even routine, low-cost hardware can become a serious entry point for nation-state level threats when procurement and security protocols are not rigorously enforced.