This report summarizes cybersecurity incidents and policy developments publicly disclosed in Japan during the coverage period. It is written for international readers who may be unfamiliar with Japan’s institutional landscape and corporate structures. Where relevant, brief contextual notes are provided.
This issue is framed against an extraordinary geopolitical backdrop: on February 28, 2026, the United States and Israel launched Operation Epic Fury, a large-scale military campaign targeting Iran. The operation opened in cyberspace before expanding to kinetic strikes — and its reverberations have been felt in Japanese corporate networks, government policy timelines, and the global threat landscape throughout March.
Section 01
Cybersecurity Incidents
Ransomware & Intrusions into Critical Infrastructure
March 11, 2026
Japan’s equivalent of the U.S. Library of Congress released its third disclosure regarding an unauthorized access incident first revealed in November 2025. The breach originated at a sub-contractor of Internet Initiative Japan (IIJ). The possible leak of user data remains under active investigation.
The case has re-ignited a structural policy debate: Japan’s Act on the Protection of Personal Information does not extend to the National Diet, the courts, or local assemblies — meaning institutions that process vast amounts of citizen data operate under a lighter accountability regime than ordinary government agencies or private companies.
March 17, 2026
A ransomware attack struck one of Japan’s leading publishers of medical and nursing textbooks, professional journals, and clinical decision-support tools. System disruption and potential data leakage were confirmed. The company’s role as a trusted information hub for tens of thousands of healthcare practitioners raises concerns about downstream exposure across Japan’s medical community.
March 13, 2026
The Japanese subsidiary of U.S. industrial fittings and fluid systems manufacturer Swagelok disclosed a ransomware attack that caused malfunctions across its internal network.
Sources: Cybersecurity JP
March 13, 2026
The industrial company disclosed that its file server had been accessed without authorization on March 1.
Sources: Security Countermeasures Lab
Context. Victims this month span healthcare, manufacturing, printing, and logistics — a cross-sector pattern consistent with 2025 trends. Japan designates hospitals and utilities as critical infrastructure under its national cybersecurity framework, yet ransomware actors continue to target them with little apparent deterrence.
Manufacturing & Intellectual Property Incidents
March 6, 2026
One of the world’s largest manufacturers of electronic components — a key supplier in global semiconductor and consumer electronics supply chains — disclosed an unauthorized IT intrusion. Murata’s annual revenue exceeds approximately USD 12 billion. The company acknowledged the possible unauthorized reading of both its own proprietary data and records relating to external business partners, while asserting that its order-management systems remained operational.
Notably, this is Murata’s second publicly disclosed intrusion in three years. The 2023 incident was traced to entry through an overseas subsidiary — a pattern that recurred as a probable vector here.
March 6, 2026
INPIT — the body under Japan’s Patent Office responsible for managing national databases of patents, trademarks, and industrial designs — disclosed an unauthorized access incident. As a repository of proprietary technical information with direct ties to Japan’s industrial competitiveness and export-control regime, even a partial breach carries implications beyond simple data loss.
Context. Japan’s manufacturing sector is characterized by tightly integrated domestic and international supply chains. Attacks targeting component makers or IP custodians like INPIT can have far-reaching effects on industries and trading partners well beyond Japan’s borders.
Supply Chain Cascades
From March 12 onward, several organizations reported that operational disruptions traced back to breaches at their IT service providers — a pattern that has become Japan’s most persistent and costly cyber vulnerability.
- Aichi Prefecture (March 11): A breach at sub-contracted vendor Japan Research Institute disrupted a business seminar notification system, causing improper email transmission to corporate recipients.
- Kasai Industries (March 12): The automotive interior parts manufacturer disclosed unauthorized access affecting its U.S. subsidiary, KASAI NORTH AMERICA.
- Multiple document-issuance bodies (March 12 onward): Several organizations experienced disruptions to document issuance and mailing workflows following breaches at shared IT vendors.
Context. Japan’s corporate ecosystem is built on layered subcontracting: prime contractors routinely delegate work to second- and third-tier vendors, each of which may share systems or data with the original client. The Japan Network Security Association (JNSA) identified cascading supply-chain liability — including multimillion-dollar legal claims between companies — as the defining domestic cyber threat of 2025.
Other Notable Incidents
- Nagoya Junior College (March 12): Website defacement; inappropriate content was displayed. The compromise had occurred February 25, making the detection-to-disclosure gap two weeks.
- United Arrows (March 16): A former employee of the popular fashion retailer was found to have exfiltrated personal data on approximately 10,000 business contacts — a reminder that insider threats remain a persistent gap.
- Kagoshima Prefectural Junior College (March 2): A faculty email account was hijacked and used to send large volumes of spam — a low-sophistication but disruptive incident type.
- Tokyo-based fintech startup (March 8): A misconfigured AWS S3 bucket exposed personal information of approximately 45,000 individuals for 48 hours before being secured. Cloud misconfiguration — not sophisticated hacking — remains one of the most common causes of data exposure globally.
Survey Data: KPMG Japan / Nikkei Cybersecurity Survey 2026
Conducted across 424 listed Japanese companies, October–November 2025.
Reported phishing attacks (whether or not damage resulted)
Affected by AI-enhanced business email compromise
Reported actual business disruption from ransomware
Experienced deepfake-based fraudulent payment instructions
Rated their cybersecurity budget as insufficient
First-ever respondent reporting losses exceeding JPY 1 billion in a single year
Section 02
Operation Epic Fury & the Cyber Dimension of the Middle East Conflict
A War That Began in Cyberspace
When the United States and Israel launched Operation Epic Fury against Iran on February 28, 2026, the first shots were not fired from aircraft — they came from keyboards. U.S. Cyber Command and Space Force conducted disruption operations against Iranian communications networks and surveillance infrastructure in the hours before the kinetic strikes began. Iranian domestic internet connectivity fell to an estimated 1–4% of normal levels within hours, effectively severing the country’s state-affiliated cyber units from their command-and-control (C2) networks.
Operation Epic Fury opened with coordinated cyber operations before any kinetic strikes were launched.
That initial disruption proved to be a double-edged development. While it degraded Iran’s coordinated offensive capacity inside the country, threat actors operating Iranian-linked infrastructure abroad continued unimpeded. Within 24 hours of hostilities beginning, approximately 60 hacktivist groups — including pro-Russian factions — had organized under a coordination structure called the Electronic Operations Room, conducting DDoS campaigns against Western financial institutions, government portals, and energy sector targets.
Phishing emails posed as U.S. State Department communications sharing “classified images” of Supreme Leader Khamenei’s death. A second wave claimed to provide evidence of Israeli preparations for attacks on Gulf oil and gas infrastructure. The speed of deployment suggests pre-positioning of operational infrastructure ahead of anticipated conflict.
Sources: IoTOT Security News — Epic Fury/Roaring Lion sparks escalating cyber conflict ; Codebook / Machina Record — Tracking military and cyber dimensions of the conflict; Japan Maritime Self-Defense Force, Naval War College — Column 279: The structural paradox of precision strikes revealed by the Iran operation
State-Sponsored Espionage Surges — Exploiting the Conflict as Cover
Security firm Proofpoint documented a rapid intensification of nation-state espionage campaigns targeting Middle Eastern government and diplomatic bodies in the days following the outbreak — with multiple actors using the conflict itself as bait.
Phishing emails posed as U.S. State Department communications sharing “classified images” of Supreme Leader Khamenei’s death. A second wave claimed to provide evidence of Israeli preparations for attacks on Gulf oil and gas infrastructure. The speed of deployment suggests pre-positioning of operational infrastructure ahead of anticipated conflict.
This group — which had not previously been observed targeting Middle Eastern entities — impersonated a European Council spokesperson in HTML-attachment phishing sent to European and Middle Eastern government targets. The broadening of TA473’s targeting scope is itself a notable indicator.
Context. Japan is not a direct party to the conflict, but Japanese firms operating in the Gulf region reported a sharp uptick in targeted intrusion attempts throughout March — consistent with the broader pattern of conflict-opportunistic cyberattacks.
Section 03
State-Sponsored Attacks Targeting Japan
March 11, 2026
MirrorFace — assessed to be operating on behalf of Chinese state interests — was found to be abusing the remote tunneling feature built into Microsoft Visual Studio Code (VSCode) to establish hidden communication channels inside Japanese technology companies. The technique is significant: by repurposing a legitimate, widely trusted developer tool as covert infrastructure, the group can evade many conventional security controls that look for known malware signatures rather than behavioral anomalies.
MirrorFace has operated against Japan since at least 2019, targeting government ministries, the Ministry of Defense, semiconductor manufacturers, JAXA, politicians, and think tanks. It has more recently expanded its remit to manufacturing and applied research institutions — sectors now central to Japan’s economic security agenda.
March 11, 2026
Unauthorized exfiltration of sensitive data from government-funded research programs in the semiconductor and next-generation battery sectors was detected on March 5. Japanese authorities convened emergency countermeasures. Official disclosure remains limited — but the sectors targeted sit at the very core of Japan’s Chip Act-era industrial strategy and its alliance commitments on technology security.
Context. Japan’s NPA and NISC issued a joint advisory in January 2025 assessing MirrorFace as conducting “systematic cyber attack activity with suspected Chinese involvement, aimed at stealing information related to Japan’s national security and advanced technology.” March activity represents a direct continuation of that campaign. Japan thus faces a two-front challenge: financially-motivated criminal ransomware, and patient state-sponsored espionage — each requiring a fundamentally different response posture.
Section 04
Policy Developments
🛡 Active Cyber Defense Target Date: October 1, 2026 (Cabinet Announcement, March 17)
The government announced on March 17 its target to begin operationalizing its “active cyber defense” framework from October 1, 2026 — though this date has not yet been formally confirmed by ordinance, and some legal analyses cite a statutory window of “on or before November 2026.” Chief Cabinet Secretary Minoru Kihara made the announcement. The move translates legislation passed by the Diet in May 2025 into operational rules, granting the National Police Agency and Self-Defense Forces authority to conduct proactive cyber operations against threat actors — including pre-emptive disruption of infrastructure used to prepare attacks against Japan. Full-scale operation is broadly expected to follow in FY2027.
The government framed Japan’s current threat environment as “the most complex security environment since World War II.” Defense analysts have noted that the model closely mirrors U.S. Cyber Command’s “defend forward” doctrine, and the timing — announced weeks after the cyber-first opening of Operation Epic Fury — is unlikely to be coincidental.
📋 IPA Releases Organizational Guidance — Information Security Top 10 Threats 2026 (March 12)
Japan’s Information-technology Promotion Agency (IPA) — roughly analogous to CISA in a guidance and awareness capacity — published the organizational commentary volume accompanying its annual threat ranking. AI-enabled attack techniques featured prominently on this year’s list.
📅 Cybersecurity Month Closes (February 1 – March 18)
Japan’s government-designated awareness campaign period concluded. The Cabinet Secretariat’s National Cyber Director’s Office (NCO) — established in July 2025 as the successor to the former NISC — led public-facing awareness activities.
Context. Japan has historically approached offensive cyber authority with considerable caution — a posture rooted in constitutional constraints, alliance sensitivities, and parliamentary skepticism. The October 2026 operationalization of active cyber defense marks a fundamental departure. Coming in the wake of Operation Epic Fury’s demonstration that modern conflicts are won or lost first in the electromagnetic and digital domains, the decision reflects a broader recalibration of Japan’s security posture that will be closely watched by allies and adversaries alike.
Section 05
International Cooperation
- Japan–U.S.–Australia cyber cooperation deepens: Defense analysts and diplomatic reporting note increased activity around trilateral cyber cooperation as Japan prepares its active cyber defense implementation. Joint exercises and information-sharing mechanisms between the three nations have been a focus of alignment work ahead of October.
- Active cyber defense — international legal and alliance implications: Academic and policy commentary published in March — including analysis by The Diplomat and Tripwire — has highlighted the civil-liberties and judicial-oversight provisions built into Japan's active cyber defense legislation, as well as the law's alignment with the U.S. Cyber Command's "defend forward" model and its implications for the Japan–U.S. alliance's joint operational posture.
- JC-STAR IoT labeling scheme — mutual recognition with the UK in effect: Japan's four-tier IoT security labeling system (JC-STAR), launched in March 2025, entered mutual recognition with the United Kingdom in January 2026. Discussions with other partner nations are ongoing.
Context. Japan’s approach to cyber policy has always been shaped by its alliance commitments — particularly with the United States — and by the desire to maintain interoperability with European regulatory frameworks. The targeted October 2026 active cyber defense launch will be the most significant test yet of how those alliance relationships translate into joint operational practice.
March 2026 illustrated with unusual clarity that Japan’s cybersecurity challenges are no longer separable from its national security challenges.
On the incident side, the month’s disclosures spanned healthcare, precision manufacturing, intellectual property custodians, public institutions, and educational organizations — confirming that no sector is insulated. The simultaneous presence of financially-motivated ransomware actors and patient, state-directed espionage groups (MirrorFace; the research data breach) means organizations must defend against fundamentally different threat models at the same time.
On the policy side, the government’s March 17 announcement targeting an October 2026 launch of active cyber defense operations represents the most consequential shift in Japan’s cybersecurity posture since the country began treating cyber as a security domain — though the exact implementation date remains subject to formal ordinance.
For international observers, Japan in March 2026 is a country in transition: from reactive incident management toward a more assertive, strategy-driven posture. The gap between policy ambition and institutional capacity remains significant, but the direction of travel is clear.
JICSS Special Feature
Expert Commentary
Ilya Kulyatin
Founder, Ai Foundry - Tokyo
Ilya is the CEO of Foundry Labs, a Tokyo-based AI systems integrator providing AI engineering services across enterprise, physical, and scientific domains. He is also the Founder of Tokyo AI (TAI), Japan’s largest international AI community with over 4,500 members, focused on making Japan a premier destination for AI and robotics.
With an interdisciplinary background spanning Business, Finance, and Machine Learning, Ilya has built startups and led quantitative research and machine learning initiatives across Italy, USA, UK, Netherlands, Singapore, and Japan. He is actively involved in shaping cross-border AI collaboration, including policy discussions on democratic AI governance and international research partnerships. His work bridges Japanese and global startup ecosystems, connecting founders, investors, and researchers across markets.
Sovereign AI has entered the mainstream policy vocabulary. But as someone building AI systems in Tokyo and working closely with Japan’s startup and enterprise ecosystem, I want to offer a practitioner’s perspective: sovereignty is an architecture problem. For Japan’s national resilience, the architecture has some important gaps.
I think of sovereign AI as a five-layer stack: data residency at the base, then hardware (chips), cloud infrastructure (data centers), AI models, and inference (where AI actually runs in production). Each layer has its own dependency profile, and sovereignty at the top layers is hollow without control of the layers beneath.
Are we moving in the right direction? Japan’s AI Basic Plan, approved in December 2025, rightly frames AI as critical infrastructure. The government has committed ¥10 trillion to semiconductors and ¥1 trillion over five years to AI development. Serious numbers. But Japan still runs primarily on four foreign platforms (Amazon, Microsoft, Google, and Oracle). Domestic GPU compute covers roughly 30% of demand. That’s a significant gap between ambition and operational reality.
For this security community, let’s consider three implications.
Two-thirds of AI compute is now inference: running models in production, processing data, generating outputs. AI agents are making thousands of API calls per task, each an authentication and authorization event. Yet only 11% of Japanese organizations conduct real-time API security testing, even as 85% of APAC organizations report API security incidents annually. The proliferation of AI agents is creating a massive, under-defended surface.
Autonomous AI tools can discover vulnerabilities, craft exploits, and move laterally in 48 hours. This cycle used to take months. When the adversary operates at machine speed, human-paced incident response becomes structurally inadequate. This now requires distributed security architectures, inspecting AI traffic at the edge, as the round-trip time to the data center is too slow.
Non-human identities (AI agents, service accounts, API keys) now outnumber human identities 82 to 1. Whoever controls the authentication and authorization layer controls what AI systems can access and do. Most of that identity infrastructure today is foreign-operated SaaS. For critical sectors such as finance, healthcare, and defense, this is a dependency that warrants the same scrutiny we give to hardware supply chains. The recent software supply chain attacks are just the start.
Japan has the components for a genuinely sovereign AI stack: world-class robotics and physical AI talent, domestic LLMs matching frontier performance on Japanese tasks, and one of the most AI-friendly regulatory environments among advanced democracies. But it would be misleading to suggest the components are all in place. Data governance is tightening but enforcement remains untested. Hardware still depends overwhelmingly on a single foreign supplier. Cloud infrastructure runs primarily on foreign platforms. Domestic models exist but adoption lags every major economy. Inference and security architectures are nascent to say the least.
No single layer can be ignored, because weakness at any level undermines sovereignty at every level above it. The baseline is there, but what Japan needs now is a full-stack view: an honest assessment of each layer’s maturity, and the integration work to connect them into deployable, secure, enterprise-grade systems that local and foreign institutions can actually trust.
“We can’t just declare sovereignty. We need to build it, layer by layer, in the field. Japan’s security posture depends on getting this right.”
Information in this report reflects publicly available sources as of April 10, 2026.
This report was compiled from open-source materials available as of April 10, 2026. Findings may be updated as investigations and policy processes develop. This document is for informational purposes only.
