Press Release

New Security Research from Cylance SPEAR™ Team Uncovers Multi-Year, Multi-Attack Campaign Targeting Japanese Critical Infrastructure

Press + Media Contact
Cylance PR Team
Cylance Inc.

“Operation Dust Storm” reveals increasingly sophisticated, targeted and successful cyber-attacks against Japanese electric utility, oil and gas, finance, transportation and construction companies

Irvine, California, Feb. 23, 2016 – Cylance SPEAR™ team, the security research arm of Cylance®, today released a report titled “Operation Dust Storm,” which reveals a multi-year, multi-attack campaign against Japanese commercial interests and critical infrastructure. The research uncovers how a well-organized and well-funded threat group, likely associated with a nation/state, has used a variety of attack vectors and techniques to infiltrate and gather sensitive information from companies in electric utilities, oil and gas, finance, transportation and construction.

“Since 2010, a threat group with considerable resources has been using various exploits to attack commercial interests around the globe, with a specific focus on Japan,” said Jon Miller, vice president of strategy, Cylance. “Whereas early activity by the group showed less sophistication and a broader set of targets, SPEAR’s current research indicates the group’s present focus has shifted specifically and exclusively to Japanese companies or Japanese subdivisions of larger foreign organizations. The group has also shown an ability to exploit Android-based mobile devices, illustrating that these types of attacks are more prevalent in the mobile-centric business cultures in Asia. The campaign continues to this day.”

Specific findings of Operation Dust Storm include:

  • Exclusive Focus on Japan in Later Stages: Recent activity has shown an exclusive focus on Japanese companies or Japanese divisions of larger organizations not headquartered in Japan.
  • Sustained Attack Campaigns: The campaign spans more than five years of persistent, multiple cyber attacks against companies in Japan, South Korea, the U.S. and Europe.
  • Long-term Purpose: After evaluating the malware at the first stages of attack on the hacked networks and systems, the SPEAR team found evidence showing that the prime motives are long-term data exfiltration and theft.
  • Variety of Critical Infrastructure Targets: Critical infrastructure targets include electric utilities, oil and gas, finance, transportation and construction.
  • Increasing Focus on Japanese Commercial and Energy Interests: The campaign is most likely being directed by a nation/state attack group growing in sophistication and focus, who are specifically targeting Japanese companies or Japanese subsidiaries of multinational corporations.
  • Continuous, Undocumented Threats: Last year SPEAR discovered two more waves of attacks that started in July 2015 and October 2015. One of the primary targets was a Japanese subsidiary of a South Korean electric utility.
  • Wide Range of Attack Types and Vectors: Attacks have employed spear phishing, waterholes, unique backdoors and unique zero-day variants, among others, to breach corporate networks and Android-based mobile devices.
  • Targeted Corporate Attacks: The campaign has made use of malware that is customized for particular target organizations; one 2015 attack involved the use of an S-Type backdoor variant designed specifically to compromise the investment arm of a major Japanese automaker.

The full Operation Dust Storm report can be downloaded here and includes more detail on the types of attacks, targets and a complete timeline of attacks between 2010 and 2015. Future Cylance SPEAR research focused specifically on the mobile-based attacks covered in Operation Dust Storm will be released later this year. Through Cylance research and analysis work, previously undocumented attacks indicate that this activity is directed by one threat actor or entity, and there is undoubtedly more to discover. Cylance analysis is ongoing and there will be more updates as new aspects and new attacks are uncovered.


About Cylance® Inc.

Cylance is the only company to offer a preventive cybersecurity solution that stops advanced threats and malware at the most vulnerable point: the endpoint. Applying a revolutionary artificial intelligence approach, the Cylance endpoint security solution, CylancePROTECT®, analyzes the DNA of code prior to its execution on the endpoint to find and prevent threats others can’t, while using a fraction of the system resources associated with endpoint antivirus and detect and respond solutions that are deployed in enterprises today. For more information visit:

Cylance and CylancePROTECT are registered trademarks or trademarks owned by Cylance Inc. in the United States and other jurisdictions and may not be used without prior written permission. All other trademarks are the property of their respective owners.

We use cookies to provide you a relevant user experience, analyze our traffic, and provide social media features. Read More