Why Japan Is Suddenly Absorbing the World’s Spare Cyber Capacity

Japanese organisations faced an average of 1,231 cyberattacks per week in 2025. In the first quarter of 2026, that number is climbing — and the operators behind it have changed.

Russian and Chinese actors are now driving the volume. Iran-aligned activity, dominant through late 2025, has pulled back into regional retaliation. The capacity, infrastructure, and access broker pipelines do not stay idle. They redirect. Right now, they are redirecting at Japan.

This post lays out what the data shows, why the shift is happening, and what Japanese security teams should look at first.

The baseline: Japan was already a top-tier target

Japan’s National Cyber Director Yoichi Iida said it plainly in late 2025: Japan still lags the US and Europe on cyber defence. The numbers back him up.

Japanese organisations dealt with an average of 1,231 cyberattacks per week in 2025. Government-reported incidents more than doubled in 2024 to at least 447, per Nikkei Asia data. Personal data breach reports hit over 21,000 cases in fiscal year 2024 — a 58% year-on-year increase.

Forescout’s threat actor knowledgebase tracks 68 actors targeting Japan: 38% Chinese, 31% Russian, 4% North Korean. The same analysis identified almost 17 million internet-accessible devices in Japan, including VPN routers with exposed management interfaces. The attack surface was already wide open before 2026 added pressure to it.

What changed in Q1 2026

Three shifts have stacked on top of each other.

Ransomware against Japanese organisations has scaled. Cisco Talos counted 134 ransomware incidents against Japanese organisations in 2025 — a 17.5% year-over-year increase. Manufacturing took 28% of the hits. Qilin alone was responsible for 16.4% of all incidents, four times more than the next group. In Q1 2026, Anabuki Housing Service in Japan became the largest single reported breach of the quarter at 496,000 people affected. Qilin claimed 240 GB stolen. The same quarter saw Nagoya Port Authority hit and a $100 million ransom demanded against Nippon Medical School Musashi Kosugi Hospital — the largest demand of the quarter.

Russia-linked and China-linked operations are stepping up. Japan’s December 2025 five-year Cybersecurity Strategy named China, Russia, and North Korea as “serious threats” — direct language Japanese government documents rarely use. China-linked MirrorFace, an APT10 subgroup, has been linked by Japan’s NPA and NISC to over 200 cyber incidents against the Ministry of Foreign Affairs, the Ministry of Defense, JAXA, semiconductors, and aerospace. China-linked operators are also moving faster: the Storm-1175 group deploys Medusa ransomware in under 24 hours using zero-day exploits, compressing the entire attack lifecycle into a single business day. On the Russian side, NoName057(16) runs destabilising DDoS and Sandworm runs espionage against Japanese energy and transport. Akira, a Russian-speaking ransomware operator that emerged from the Conti diaspora, remains active globally and is one of the operator brands carrying surplus capacity into new regions.

Iran-aligned activity has redirected. Since late February 2026, cybercrime across North America, Europe, and parts of Asia-Pacific has jumped 245%. Iran-aligned groups stayed close to home for retaliation. Russian and Chinese proxy infrastructure is carrying most of the surge. GuidePoint’s Q1 2026 report describes the result as an elevated “new normal” in ransomware volumes, with the same operators picking new targets.

The total amount of offensive capacity in the world has not increased. Where it points has changed. Japan got a bigger share.

Why Japan, and why now

Three factors put Japan at the top of the reallocation list.

Geopolitical positioning. Tokyo is a G7 member, a US treaty ally, and an active sanctioner of Moscow since the 2022 invasion of Ukraine. The Kuril Islands dispute and Japan’s sanctions regime keep Japan on Russia’s target list. Japan’s role in the US-Japan-Taiwan strategic triangle keeps it permanently in scope for Chinese operations.

Defensive maturity gap. The Japanese cybersecurity market grew to USD 11.4 billion in 2026, projected to reach USD 19 billion by 2031. That growth is not a sign of a healthy market. It is a sign that Japanese organisations are spending more because they have to. A Board of Audit report found 16% of national and local government IT systems vulnerable to attack. Talos’s Japan analysis identified small and medium enterprises as 57% of ransomware victims — a long tail of under-defended targets feeding into high-value supply chains.

Long recovery times. Asahi Holdings spent more than two months recovering from ransomware before disclosing a possible breach affecting 1.9 million people. Online retailer Askul took six weeks to resume corporate orders. Muji’s online sales went down as collateral damage. Threat actors pick regions where recovery is slow and resilience gaps are predictable. Japan currently fits that description.

Japan is responding. The window is open until October.

The Japanese government has read the same data. The Active Cyber Defense Acts, passed in May 2025 and in force in 2026, introduce mandatory incident reporting for critical infrastructure operators and authorise the government to monitor communications and counter-access hostile servers. From October 1, 2026, the Self-Defense Force will conduct offensive cyber operations. Chief Cabinet Secretary Minoru Kihara called it “the most complicated national security environment” Japan has faced since World War II.

The six months between now and October are the period adversaries have every reason to extract maximum value before Japan’s posture hardens. CybelAngel’s REACT (Research and Analysis of Cyber Threats) analysts are seeing exactly that pattern in deep, dark, and open web sources right now: elevated credential exposure, more initial access broker listings naming Japanese targets, and increased reconnaissance against Japanese assets.

What Japanese security teams should do now

Three priorities follow from the data.

Watch credential exposure continuously. Talos’s Qilin analysis confirmed the group takes initial access from credentials sourced on Telegram, BreachForums, and similar platforms. The window between credential theft and ransomware deployment is where dark web monitoring earns its keep. Catching credentials there is the single highest-leverage defensive action available.

Treat your external attack surface as the front line. Across the documented Chinese campaigns against Japan, the recurring initial access vectors are exposed VPNs, misconfigured routers, and unpatched edge devices. That is the same attack surface Forescout flagged: 17 million internet-accessible Japanese devices, including VPN routers with exposed management interfaces.

Map your supply chain blast radius. Asahi to Askul to Muji is the template for how a single Japanese ransomware incident now propagates. Third-party risk is no longer hypothetical. Map who depends on you, who you depend on, and what happens to both if either one stops responding.

CybelAngel scans the visible, deep, and dark webs plus connected storage devices. Our analysts verify what they find, hand off the alerts that matter, and run the takedowns themselves. If you want to see what is exposed for your organisation in the same sources Russian and Chinese operators are shopping in right now, デモをリクエストします and talk to an analyst.

よくある質問

著者について

リアクト

REACTチームは、CybelAngelに所属するサイバーセキュリティアナリストのエリート集団です。.

すべての記事を読む