Photo/Illutration Some of the folder names of the leaked information obtained through a VPN security breach (Tatsuya Sudo)

Stolen virtual private network (VPN) login information from roughly 900 companies from Japan and abroad was uploaded in June and July to a website used by Russian hacking groups.

Login information from at least 50 companies and educational institutions in Japan was among the data, an Asahi Shimbun analysis found.

A security defect in the VPN allowed the hackers to gain access to the data, a problem that could easily become more common as more people work from home due to the novel coronavirus pandemic and use VPNs to connect to their office computer networks.

A possible security breach in the VPN provided by U.S.-based Pulse Secure was first reported in summer 2019 by a computer security expert abroad, according to the Japan Computer Emergency Response Team (JPCERT) Coordination Center.

The report said defects in VPNs used in close to 1,500 computers in Japan had not been addressed.

The breach allowed hackers to steal usernames and passwords to log in to the organization’s computer network.

JPCERT then began searching for organizations in Japan with the vulnerable equipment and corrected the problem for all but 298 computers by March 2020.

“Some of the data that leaked in the latest case appears to have come from some of those 298 computers,” Tetsuya Mizuno of JPCERT said.

The leaked data was uploaded in June and July to an internet site often used by Russian hacking groups. There were signs that some of those who posted the data received cryptocurrency in exchange for their work.

Companies that responded to questions from the Asahi could not confirm that their computer networks had been breached.

The data posted to the site may have been released by hackers because it was essentially useless to them as the affected companies had taken various measures to strengthen security, one cybercrime expert speculated.

The Russian hacking group likely involved in stealing the data has been engaged in criminal activity for monetary gain since roughly 2009. 

The cybercrime expert said the hackers may have obtained the VPN login information in order to enter a company’s computer network.

While Mitsubishi Electric Corp. was not one of the companies from which data was stolen in the latest case, the leaking of confidential military information in March 2019 from that company also was connected to a VPN security breach, according to sources.

The hack of Mitsubishi Electric’s data center in China occurred about two months before the VPN service provider acknowledged a defect.

But that cyberattack was apparently engineered by a group of Chinese hackers.

Meanwhile, more companies in Japan may be vulnerable to having their VPNs hacked because of the wider use of them by employees working from home.

After the central government declared a state of emergency in April over the COVID-19 pandemic, the phenomena of VPN morning rush hour began occurring, an official at one major company said.

Because a large number of employees tried to login at the same time in the morning, some took up to 30 minutes to receive certification of a secure connection.

“Top management ordered that something be done immediately, so rather than the normal practice of conducting security tests before installing the VPN, we went out and bought it through Amazon,” a source at the company said.

And while the latest leak involved a VPN provided by Pulse Secure, other providers also may have vulnerabilities as well.

A security expert at IBM Japan Ltd. said a more comprehensive approach to security measures was needed.

Masatsugu Koketsu, who heads the company's Security Operations Center, said those working from home should not feel assured just because they have installed anti-virus software and leave everything about the connection to the company server to the VPN.

“People should adopt a mindset of ‘zero trust’ and be aware that illegal access may be possible at any time,” Koketsu said. “The only course is to implement a comprehensive set of measures” against the threat.

(This article was written by Tatsuya Sudo, a senior staff writer, and Chihiro Ara.)