The Most Active Hacker Groups in Japan

Cyber breach is a primary concern all over the world. Hackers can leak vital information, steal funds, and even cause businesses to shut down. The global rate of cyberattacks is still rapidly increasing, including in Japan. 

Hackers are a significant threat to businesses, both large and small. Many companies worry about their data safety, and rightfully so. However, with hackers increasingly targeting enterprises of all sizes, executives must be aware of these dangers and take precautions to protect their businesses from these threats.

Aside from businesses, hacker groups have also terrorized government organizations in Japan for the last couple of years. Some hacker groups are activists fighting for a political cause, while others are for monetary gain. Regardless of the reason, hacker groups can successfully infiltrate computer systems and disrupt different organizations. They typically get a target first and search for loopholes to gain access. 

This article will discuss the most active hacker groups that attacked Japan. Read on.

The Most Active Hacker Groups in Japan

Honker Union

Honker Union is a hacktivist group. They carried out numerous attacks on US and Japanese government websites, including the White House and the Japanese prime minister’s office. 

The term ‘Honker Union’ was first used to refer to a group of people in China who hacked Korean government websites in protest against Japanese hackers’ hacking of Korean government websites in 2011. 

1n 2012, Honker Union surprised Japan with a series of attacks that left dozens of Japanese websites defaced, inaccessible, and some even knocked offline for several hours.

Since its founding, Honker Union has been a threat to the government, yet highly acclaimed by the general public. Their cyber-attacks peaked after the Japanese government’s controversial purchase of the Senkaku Islands, an island group claimed by Japan and China. However, the most stunning incident occurred after a series of large-scale DDoS attacks resulting in Japan’s Finance Minister Kōno Ichirō declaring a temporary freeze on Tokyo stock exchange trading.

The group claimed on numerous occasions that it was behind the hacking attacks against Japanese companies and government agencies, such as Japan Airlines and Japanese public broadcaster NHK. 

Honker Union has launched successful distributed denial of service (DDoS) attacks on many Japanese organizations, including the Japanese Cabinet Office’s website and other governmental sites. They also defaced or hijacked many private companies’ websites and infected them with malicious code.

The group also conducted attacks on government and commercial websites in the United States and other western countries. Moreover, they were reportedly responsible for defacing and crashing the White House official website on October 1, 1999, after US President Bill Clinton formally acknowledged China’s sovereignty over Hong Kong. 


Tick has been active since 2007 and follows a familiar pattern of attacking Japanese organizations in the critical infrastructure, manufacturing, heavy industry, and international relations sectors. 

The group has targeted intellectual property related to technology and development, business and sales information, emails and meeting schedules, product specifications, and network and system configuration files.

Tick (AKA ASN, CosmicDuke, MiniDuke, SeaDaddy, SeaDuke) targets Japan and other countries. 

The threat actor may have been active for more than a decade before Symantec discovered it in 2016. Tick typically uses several malware families built from scratch with no known code base. In addition, researchers believe Tick may occasionally sell spyware on the underground market to supplement its income.   

With a combination of an automated botnet and compromised credential-based attacks, Tick spreads to thousands of systems in a matter of hours. Its modus operandi includes using a downloader called Gofarer and a data-stealing Trojan dubbed Daserf.

The group uses victims’ compromised servers as download servers to host malicious files. It has continued to be active since its first discovery, despite multiple findings by different researchers.

Tick continues to target companies in the aerospace and defense sector based in Japan. It has compromised several organizations by targeting victims with spear-phishing emails, watering hole attacks, and a zero-day vulnerability affecting a popular Japanese corporate tool.

In 2021, the Japan National Police Agency linked the Chinese Military to Tick. The group has launched attacks on over 200 Japanese companies and organizations since at least 2016. Officials in Japan believe that the Chinese military instructed Tick to perpetuate those cyber attacks. Tick’s cyber hack attacks on Japanese companies, including Toyota Motor Corps. While the number of assaults has risen since 2016, the average number of targets has fallen.


The Anonymous hacktivist group is a worldwide organization of hackers, activists, and computer experts. They were initially formed in 2003 by 4Chan— an online community. Their protests target organizations that they believe are corrupt or dishonest. The Anonymous hacktivist group uses its skill to bring awareness to these hidden stories and punish organizations for unethical behavior. Its members’ skills work for good and evil— from bringing down governments’ internet sites to leaking confidential documents. 

After the Japanese government resumed whale hunting, even though a court decision said it was illegal, Anonymous targeted Japanese car manufacturer Nissan with a cyberattack. It was one of its most significant cyberattacks, and it was in protest of Japan’s whale hunting in the Antarctic. Nissan’s global web masts and its Japanese branch were both assaulted. Anonymous ran the attacks under the name ‘Operation: Real-World Distributed Denial of Service.’

Anonymous was behind a series of cyberattacks on Japanese websites in protest against the annual dolphin hunts. In addition, the group launched various DDoS attacks on government offices, websites, and infrastructure operators like airports. A DDoS attack aims to make infrastructure or devices unavailable to users or customers and sometimes even intended targets. 

Anonymous also launched an attack on Tokyo’s Narita airport, forcing it to go offline. The group used a Distributed Denial of Service flood, which sent more requests to the website than it could handle. As a result, it slowed down internet performance, rendering the website unusable.

 The no-leader hacker group claims to represent absolute freedom, democracy, and the betterment of humanity. Its Guy Fawkes mask has become an international symbol for Anonymous.

Cicada (APT 10)

The latest cyber attack group targeting government agencies, corporations, and research facilities in Japan has been named the Cicada. Since 2013, attackers behind these operations have targeted Japanese organizations, including automotive manufacturers, trading companies, and electronics companies. The attackers communicate with their targets using email, file transfer protocol (FTP), and web forums. They then use social engineering methods to coax targets into opening malicious attachments or clicking links.

“Cicada” (APT10) is behind a recent digital campaign against Japanese companies and organizations in 17 countries worldwide, where they are operating offices. Cicada operators are known for finding and using even the most obscure vulnerabilities to target users, mainly in Japan and South Korea. 

The hacking gang, known to be possibly connected to the Chinese government, reportedly used an advanced form of malware called Backdoor.Hartip to infiltrate numerous entities to steal large amounts of sensitive data for one year.

Hartip malware is custom malware used to target Japanese corporate and governmental interests headquartered internationally. Hartip can drop additional files and has proven to have a modular architecture consisting of at least six versions. Cicada launched a year-long campaign attack from 2019 to 2020 using this vulnerability. 

Cicada makes use of a multi-stage process to infect victims, turning their systems into zombies in an infection process akin to a worm. Infection occurs through tools readily available on the compromised host’s system.  

Vendors have patched some vulnerabilities, but it could still mean trouble for an organization without a robust patch management process. 

The group features advanced capabilities, including locking entire disk drives with full disk encryption on physical attacks and code signing certificate theft on their C2, intricate lateral movement, and even virtual machine detection. 


APT40 is an advanced persistent threat that has been active since at least 2009. It has targeted governmental organizations, companies, and schools in different countries.

Advanced persistent threat (APT) defines a cyber-attack by a well-resourced and organized group that can continually execute actions against a targeted entity over an extended period. The highly sophisticated Chinese hackers known as APT40 targeted Japan on numerous occasions.

APT40 uses spear-phishing emails as the primary delivery mechanism for the malware it uses. 

In January 2017, a security company based in Japan got infected with malware due to a phishing campaign; most customers were affected. 

APT40 had orchestrated the campaign by targeting companies whose employees later received phishing emails with malicious links or attachments.   

The APT40 cyber group aggressively attacked high-profile targets and infiltrated computer systems by leveraging file-less malware, lateral movement, multi-stage malware frameworks, and pre-defined remote administration tools.

This threat group used various characteristics, methods of operation, and tools. But APT40 has a pattern that shows it will continue to target organizations involved in maritime industries— including shipping, engineering, and defense technologies.

Based on their known targets, TTP, and attack patterns, CrowdStrike Intelligence assesses with very high confidence that the Chinese state-sponsored actor APT40 is responsible for these attacks.

The group has shown keen interest in Southeast Asia. It targeted organizations involved in the pushback by some states against the Chinese government’s maritime agenda, especially claims to marine territory in the South China Sea. In addition, organizations with connections to the Thailand election and organizational operations are also targets.

Prominent Attack Methods by Hacker Groups

Here are some attack methods frequently used by hacker groups. 

Distributed Denial-of-Service (DDoS) 

A DDoS attack works by flooding the target’s server with requests, making it unable to respond to actual users’ requests. It occurs through a botnet—a network of computers infected by malware or spyware and controlled remotely by attackers.

During a denial-of-service (DoS) attack, an attacker tries to overload a local network or internet connection with traffic to shut down a particular computer network or website. 

Phishing Attack

Phishing is an attempt by an attacker to trick a victim into revealing their data, such as user name, passwords, and credit card information. It works by gaining the trust of its intended victim through means of impersonation or forwarding email. Unfortunately, phishing is quickly becoming the most common way criminals gain access to confidential personal and financial data. So it’s essential to know how it works and what you can do to defend yourself against this threat.

Man-in-the-Middle Attack 

A man-in-the-middle attack occurs when a malicious agent (hacker) plants him or herself between you and another person, network server, or website. A man-in-the-middle attack can redirect your communications or intercept your data and conversations, allowing the hacker to steal information from you or impersonate you.


Cybercrime is growing in Japan, with hacking groups leveraging vulnerabilities to launch attacks. Moreover, they still occur at an alarming rate of about 150,000 a day. These attacks have caused chaos and substantial financial hit to some businesses. Although Organizations can’t eradicate the risk of hacker group attacks outrightly, they can invest in cybersecurity software to prevent them.