Full Report
A cat leads to a notorious death threat hacker finally being caught and jailed in Japan.
Analysis Summary
# Incident Report: Notorious Japanese Cat-Based Cyber Trolling and Threat Campaign
## Executive Summary
A sophisticated cybercriminal, operating under the alias "Oni Koroshi" (Demon Killer), conducted a years-long campaign starting in 2012, infecting numerous computers across Japan with malware to post hoaxes, bomb threats, and death threats, leading to significant public disruption and initial false arrests. The attacker, who actively taunted law enforcement, was ultimately identified and apprehended after engaging police and media in an elaborate game involving riddles that led investigators to a specific cat carrying an SD card containing evidence.
## Incident Details
- **Discovery Date:** Incidents began in 2012, but continued through discovery of the cat/SD card linkage in early 2013.
- **Incident Date:** Began around 2012.
- **Affected Organization:** Multiple public entities, schools, Japanese Airlines, and the Japanese Police force/media.
- **Sector:** Cybercrime/Public Safety.
- **Geography:** Japan (including Osaka, Yokohama, Tokyo, Narita).
## Timeline of Events
### Initial Access
- **Date/Time:** Starting in 2012.
- **Vector:** Malware/Trojan Horse distribution.
- **Details:** Attacker used malware to infect unsuspecting victims' computers across Japan.
### Lateral Movement
- *Impression:* The malware was used to execute commands (posting threats) from victim machines, effectively using them as remote proxies. No explicit mention of internal network lateral movement *by the attacker* is detailed, beyond infecting general public systems.
### Data Exfiltration/Impact
- **Details:** The primary impact was the dissemination of false, terroristic information: threats against public buildings, students (including grandchildren of Emperor Akhito), mass-murder threats in Osaka, and a bomb threat against a JAL flight.
### Detection & Response
- **How it was discovered:** Initial discovery was through the high volume of threats appearing across public boards and direct communications.
- **Response actions taken:** Japanese police arrested four separate individuals early on, based on confessions likely coerced or based on finding their compromised systems; these arrests were later proven incorrect when the actual culprit continued taunting them. Police eventually offered a ¥3m bounty. The final breakthrough came from deciphering riddles sent by the attacker leading to a specific cat on Enoshima island.
## Attack Methodology
- **Initial Access:** Malware/Trojan horse infection of public computers.
- **Persistence:** Not explicitly detailed, but ongoing use of compromised systems for future threats suggests a long-term infection mechanism.
- **Privilege Escalation:** Not applicable to the network intrusion itself, but the malware achieved the ability to execute high-impact commands (posting threats) on victim machines.
- **Defense Evasion:** Used compromised PCs as scapegoats, successfully framing multiple innocent parties, and actively taunted police, showcasing an understanding of evasion techniques. The use of TOR was later discovered on the suspect's machines.
- **Credential Access:** Not specified.
- **Discovery:** The attacker taunted police and engaged in public games (riddles) designed to misdirect or challenge investigators.
- **Lateral Movement:** Not specified beyond the initial infection spread.
- **Collection:** Data collection methods are not detailed, but the threats demonstrated knowledge about specific locations and targets.
- **Exfiltration:** Information (threats) was *infiltrated* out via compromised victim systems to public forums and media.
- **Impact:** Caused widespread fear, forced a major airline flight turnaround, tied up significant police resources, and led to wrongful arrests.
## Impact Assessment
- **Financial:** JAL incurred over ¥9m loss due to the aborted flight. A ¥3m bounty was offered.
- **Data Breach:** Threats involved details about specific victims (students, locations), suggesting some level of internal reconnaissance or targeting based on public knowledge. No large-scale primary data exfiltration confirmed.
- **Operational:** Significant operational disruption, including the forced return of a JAL flight and massive police investigation resources diverted.
- **Reputational:** Significant reputational damage to the Japanese police force due to repeated investigative failures and false arrests.
## Indicators of Compromise
- **Network indicators:** TOR usage on the suspect's machine.
- **File indicators:** Trojan horse malware used for infection.
- **Behavioral indicators:** Posting taunting/riddles to police/media; using compromised third-party systems to launch external threats.
## Response Actions
- **Containment measures:** Initial arrests were made, though these were ultimately incorrect. The primary containment came after the identification of the true culprit.
- **Eradication steps:** The actual culprit, Yusuke Katayama, was identified via the cat-and-SD-card clue, his home was searched, and ten computers were seized.
- **Recovery actions:** The threats ceased following the suspect's capture.
## Lessons Learned
- The critical danger of relying on "confessions" or simple endpoint identification when sophisticated malware is involved.
- The importance of considering all avenues of investigation, even outlandish ones (the riddle/cat scenario).
- The need for robust internal police procedures to avoid public embarrassment from bungled high-profile cases.
## Recommendations
- Enhance malware analysis capabilities to better trace threat origin even when proxies are used.
- Review interrogation/confession protocols to prevent coerced or unreliable statements, particularly in cases involving malware infection on the suspect's machine.
- Implement better monitoring for advanced threat actors actively engaging with law enforcement/media.