July 5, 2024 (JST)

Japan Aerospace Exploration Agency

 The Japan Aerospace Exploration Agency (JAXA) reports the status of its response to the compromised information caused by unauthorized access last year.

 In October last year, based on a notification from an external organization, JAXA recognized unauthorized access to internal servers on the JAXA's network (hereinafter referred to as "the incident"). While JAXA immediately took initial measures, such as blocking all malicious communication, we also launched the investigation in cooperation with expert organizations and security vendors to understand the incident, developed countermeasures, and implemented them.

 The attachment provides an overview of the incident. JAXA confirmed that some of the information we manage (related to activities with external organizations and personal information) was compromised.

 We sincerely apologize for any inconvenience to those affected by this incident.

 While we cannot disclose the details of information that was compromised due to the nature of our relationship with third parties, we apologized and notified the affected individuals and partners. As of now, JAXA has not received any reports of significant disruption to the activities of those involved. We sincerely regret any inconvenience this incident may have caused.
 Although JAXA does not see the severe impact on our activities, including cooperation with domestic and international partners, by the incident, we take it very seriously as a matter that could potentially harm relationships of trust, and we will strengthen our measures to prevent a recurrence.

 Although a few instances of unauthorized access occurred in 2024, JAXA confirmed that they did not involve any compromise of information. Those unauthorized access, including the incident last year, targeted VPN devices.

 JAXA has already implemented short-term measures, such as establishing a system to promptly respond to vulnerabilities, and developed permanent measures to further enhance security. We are currently materializing these permanent measures and will continue to strengthen our information security measures in the future.

Overview of the Incident

1. JAXA's Response
 Based on a notification from external organizations, JAXA immediately took initial actions, such as blocking all malicious communications and disconnecting all the compromised servers and computers from the JAXA network. Then, we engaged a security vendor to investigate the signs of the compromise and analyze all the compromised servers and computers. We discovered malwares and removed them, as well as implemented emergency measures to mitigate potential risks, including enhancing the monitoring of internal communications.
 In addition, since we found the possibility of unauthorized access to Microsoft 365 ("MS365") during the investigation, a specialized team from the Microsoft corporation investigated and confirmed that no further breaches had occurred.
 Throughout the implementation of these measures, JAXA has been working closely with external organizations. This includes cooperation with the police, the JPCERT Coordination Center, the Information-technology Promotion Agency (IPA), and other expert organizations. We have been actively reporting and sharing information with them, including unauthorized communication destinations and malwares.

2. Scope of Compromise
 JAXA identified the scope of compromise based on the initial investigation, the investigation by the security vendor and Microsoft, and the analysis by JAXA. In addition, we confirmed that the attacker used multiple unknown malwares, making it difficult to detect the unauthorized access.

1. (i) the attacker likely exploited a vulnerability in a VPN device to gain the initial access to JAXA's internal servers and computers. It is highly likely that the previously announced vulnerability was exploited.
2. (ii) the attacker further expanded the scope of unauthorized access and compromised JAXA's user account information.
3. (iii) the attacker illegally accessed JAXA's MS365 services with the account information it obtained.

3. Compromised Information
 As a result of the incident, some information (including personal information of JAXA employees, etc.) stored on the compromised JAXA servers and computers may have been breached. In addition, we confirmed that some of the information managed on JAXA's MS365 service (related to activities with external organizations and personal information) were compromised. We have already explained and apologized to those affected. The information systems and networks compromised in this incident do not handle sensitive information related to launch vehicles and satellite operations.

4. Countermeasures
 In response to this incident, we implemented short-term measures, such as establishing an operation to respond to vulnerabilities promptly and strengthening the monitoring of internal communication. In addition, JAXA developed permanent measures to further enhance security, such as enhancing monitoring of the entire network and endpoints, improving remote access methods, increasing the efficiency and visibility of operational management, and enhancing anti-spoofing measures. We are currently in the process of materializing these permanent measures.
 In the course of taking the above measures and strengthening monitoring, we have detected and responded to multiple unauthorized accesses to JAXA's network since January of this year (including zero-day attacks), though no information was compromised.

5. Future Efforts
 As cyber-attacks become increasingly sophisticated and countermeasures constantly evolve, JAXA is firmly aware of the need for prompt and appropriate security responses and plans to steadily implement short-term and permanent measures in response to this incident. JAXA will further strengthen information security in cooperation with related organizations, including expert organizations.

For inquiries regarding personal information, please contact the following: