National TV anchors struggle through explanations of the Tor anonymity network, while newspapers run detailed graphics on remote hacking software and the national police warn against using obscure online tools known as Syberian Post Offices.
Japan is in the midst of a cybercrime saga.
The public has been drawn in by the story of what appears to be a lone hacker who slipped software onto the Windows computers of innocents and used them to post fictional warnings of imminent mass murders at public schools and attacks against aeroplanes. He then spent months taunting authorities through emails to the national press.
After a public pursuit that included multiple false arrests, a taunting message that led to a memory card planted on the pink collar of a cat on a small island, and images posted online with their location data apparently tweaked to mislead authorities, police finally arrested suspect Yusuke Katayama, a 30-year-old slightly chubby IT worker, last week. Police seem confident they got the man responsible for it all, though some are still doubtful.
“It took so long, and it seemed as though the police were helpless to find him,” said Yoji Ochiai, a lawyer and former public prosecutor who specialises in online crimes, and who also received emails from the hacker. ”This can be thought of as a major lesson for the police.”
The more colorful bits of the story have trickled out through the Western media in short bytes of hacker comedy – bungling police arrest and question the wrong guy, four times; online videos of the cat rubbing up against the legs of reporters – but industry watchers say the ordeal has triggered real change. The public humiliation has forced Japan’s National Police Agency (NPA), whose role is similar to organisations like the Australian Federal Police (AFP) or the Federal Bureau of Investigation (FBI) in the US, into swiftly adopting a number of reforms.
“The police made the false arrests based on the IP addresses of computers that accessed the public forums, that was the standard,” said Research Institute of Information Security (RIIS) director Yoshimi Usui. ”It seems they didn’t even know that anonymiser tools existed.”
Previous incidents have been far more serious – the Sony gaming network hack in 2011, stolen secrets from military contractors and the space agency, online break-ins at parliament – but nothing has captured the country’s attention quite like this.
The events that led up to the arrest started in June of last year, when messages of mass killings and public attacks began appearing in online postings. After authorities arrested and released the wrong suspects, the hacker, who police now say is Katayama, chided them through emails to the press, including one that led them to the memory card on the cat. The card contained a copy of a powerful program authorities believe Katayama created and employed, which allowed him to anonymously control remote computers and make the postings.
The national press have covered each new development in detail. Police have felt pressure and responded with uncharacteristic speed.
In December the NPA offered ¥3 million ($31,000) for information about the individual behind the high jinks, its first-ever reward for a hacker. The agency’s wanted posters, ever-present in Japanese train stations and post offices, usually feature a blurry image of a hooded figure, snipped from security camera footage, with a list of crimes and birthmarks. But the hacker poster was something new – its only picture is a pair of cartoon hands on a laptop, followed by a long block of text detailing technical skills including C# programming and the use of a ‘Syberian Post Office’, a tool for making online postings anonymously.
Earlier this month, before the latest arrest, the NPA released an ‘emergency program’ for battling cybercriminals, specifically mentioning its failures in the hacking case as motivation. New measures include police officials ‘joining hacking communities’ and forming relationships with hackers to glean information, as well as figuring out how to peg criminals who use tools like Tor.
It is still unclear if police have their man in Katayama, though officials have said they possess irrefutable proof. He has steadfastly denied being the mastermind behind the cyberattacks, citing his lack of ability as proof.
“If you compare the skills of the ‘actual criminal’ and Katayama, it’s obvious he is far more talented than Katayama. It is clear if you look at Katayama’s abilities that he is not the criminal here,” the suspect’s lawyer told reporters.
The program used to take control of remote computers and post threats online, ‘iesys.exe’, was custom-built in the C# programming language, and has been painstakingly analysed by authorities. The Tokyo Metropolitan Police Department has taken the rare step of posting detailed descriptions of the software, including the classes and variables used in its source code.
“Detailed information about this virus has been made public with the intention of encouraging the public to provide further information about it,” reads a special section of the department’s web page devoted to the virus.
Once it had infected a computer, the software hid in the background and periodically checked free online bulletin boards on a Japanese portal, ‘livedoor’, for commands from its controller. These included instructions to turn keylogging on and off, upload and download files, and post messages to other bulletin boards.
Authorities have discovered multiple versions of the Windows program in the wild, according to reports, and those who have analysed them say they are complex and unique. Security firm Trend Micro has rated the code’s ‘damage potential’ as high, and says users must manually modify their computers’ registries to get rid of it.
The complexity of the program, and the meticulous way it was developed, appear to contrast with Katayama’s actions in the months when he was allegedly toying with Japan’s national police. Authorities have said he occasionally failed to anonymise his internet activities, and traced him to the online purchase of a small figurine that later appeared in a photo he sent to newspapers.
The FBI cooperated with Japanese police and provided the contents of a Dropbox account used by the suspect, the contents of which included a copy of the iesys.exe virus, according to the Nikkei business newspaper.
If Katayama does turn out to be the mastermind behind the program and the one that made threats online, it appears police caught a break in their first public duel with a hacker of his stature. One of their main leads was decidedly low-tech – video footage of him caught by a security camera on Enoshima, the small island where he allegedly planted the memory card on a local cat.
“It appears that he wanted to show off and went too far. If this is true then the police were fortunate he did so, because they probably wouldn’t have found him otherwise,” said Ochiai.