Report on Unauthorized Access at JAXA

Japan Aerospace Exploration Agency

 The Japan Aerospace Exploration Agency (JAXA) reports the status of its response to the compromised
information caused by unauthorized access last year.

 In October last year, based on a notification from an external organization, JAXA recognized unauthorized
access to internal servers on the JAXA’s network (hereinafter referred to as “the incident”). While JAXA immediately
took initial measures, such as blocking all malicious communication, we also launched the investigation in
cooperation with expert organizations and security vendors to understand the incident, developed countermeasures,
and implemented them.

 The attachment provides an overview of the incident. JAXA confirmed that some of the information we manage
(related to activities with external organizations and personal information) was compromised.

 We sincerely apologize for any inconvenience to those affected by this incident.

 While we cannot disclose the details of information that was compromised due to the nature of our relationship
with third parties, we apologized and notified the affected individuals and partners. As of now, JAXA has not
received any reports of significant disruption to the activities of those involved. We sincerely regret any
inconvenience this incident may have caused.
 Although JAXA does not see the severe impact on our activities, including cooperation with domestic and
international partners, by the incident, we take it very seriously as a matter that could potentially harm
relationships of trust, and we will strengthen our measures to prevent a recurrence.

 Although a few instances of unauthorized access occurred in 2024, JAXA confirmed that they did not involve any
compromise of information. Those unauthorized access, including the incident last year, targeted VPN devices.

 JAXA has already implemented short-term measures, such as establishing a system to promptly respond to
vulnerabilities, and developed permanent measures to further enhance security. We are currently materializing these
permanent measures and will continue to strengthen our information security measures in the future.

1. JAXA’s Response

 Based on a notification from external organizations, JAXA immediately took initial actions, such as blocking
all malicious communications and disconnecting all the compromised servers and computers from the JAXA network.
Then, we engaged a security vendor to investigate the signs of the compromise and analyze all the compromised
servers and computers. We discovered malwares and removed them, as well as implemented emergency measures to
mitigate potential risks, including enhancing the monitoring of internal communications.
 In addition, since we found the possibility of unauthorized access to Microsoft 365 (“MS365”) during the
investigation, a specialized team from the Microsoft corporation investigated and confirmed that no further
breaches had occurred.
 Throughout the implementation of these measures, JAXA has been working closely with external organizations.
This includes cooperation with the police, the JPCERT Coordination Center, the Information-technology Promotion
Agency (IPA), and other expert organizations. We have been actively reporting and sharing information with them,
including unauthorized communication destinations and malwares.

2. Scope of Compromise

 JAXA identified the scope of compromise based on the initial investigation, the investigation by the
security vendor and Microsoft, and the analysis by JAXA. In addition, we confirmed that the attacker used multiple
unknown malwares, making it difficult to detect the unauthorized access.

1. (i)
   the attacker likely exploited a vulnerability in a VPN device to gain the initial access to JAXA’s internal
   servers and computers. It is highly likely that the previously announced vulnerability was exploited.
2. (ii)
   the attacker further expanded the scope of unauthorized access and compromised JAXA’s user account
   information.
3. (iii)
   the attacker illegally accessed JAXA’s MS365 services with the account information it obtained.

3. Compromised Information

 As a result of the incident, some information (including personal information of JAXA employees, etc.)
stored on the compromised JAXA servers and computers may have been breached. In addition, we confirmed that some
of the information managed on JAXA’s MS365 service (related to activities with external organizations and personal
information) were compromised. We have already explained and apologized to those affected. The information systems
and networks compromised in this incident do not handle sensitive information related to launch vehicles and
satellite operations.

4. Countermeasures

 In response to this incident, we implemented short-term measures, such as establishing an operation to
respond to vulnerabilities promptly and strengthening the monitoring of internal communication. In addition, JAXA
developed permanent measures to further enhance security, such as enhancing monitoring of the entire network and
endpoints, improving remote access methods, increasing the efficiency and visibility of operational management,
and enhancing anti-spoofing measures. We are currently in the process of materializing these permanent
measures.
 In the course of taking the above measures and strengthening monitoring, we have detected and responded to
multiple unauthorized accesses to JAXA’s network since January of this year (including zero-day attacks), though
no information was compromised.

5. Future Efforts

 As cyber-attacks become increasingly sophisticated and countermeasures constantly evolve, JAXA is firmly
aware of the need for prompt and appropriate security responses and plans to steadily implement short-term and
permanent measures in response to this incident. JAXA will further strengthen information security in cooperation
with related organizations, including expert organizations.

For inquiries regarding personal information, please contact the following: