[Third Week of April 2026] Cyberattacks on Japanese Companies: 3 Real Incidents and Countermeasures

This week saw a series of cyberattacks targeting Japanese companies. Businesses are facing a variety of threats, including business disruption due to ransomware, theft of authentication credentials through malware infections, and data breaches due to system configuration flaws. Of particular note is the increasing number of attacks occurring through outsourced partners. Security measures across the entire supply chain, not just within the company itself, are urgently needed. This article will summarize key points and specific countermeasures that practitioners should be aware of, based on representative cyberattack cases that occurred at Japanese companies in the third week of April 2026.

Ransomware attack on Seed Planning: Damage spreads via subcontractors

Seed Planning Co., Ltd., a company contracted by Kawasaki City, Kanagawa Prefecture, was subjected to a ransomware attack on March 2nd. Some of the company's systems, network, and terminals were affected by file encryption, resulting in a complete network shutdown. Potentially leaked information includes the names, contact persons' names, addresses, telephone numbers, and email addresses of Kawasaki Standards Certified Businesses, as well as contact information (approximately 2,000 records) of companies and welfare facilities participating in the city's projects. Attacks on contractors of public institutions endanger information from multiple companies and organizations simultaneously, highlighting the importance of risk management across the entire supply chain.

Zetton malware infection leads to theft of authentication credentials and unauthorized logins.

Zetton Co., Ltd., which operates a restaurant chain, discovered on September 18, 2025, that one of its PC terminals used at a store in Gifu City, Gifu Prefecture, was infected with malware. Account authentication information for the old email system used on the affected terminal was stolen, resulting in continuous unauthorized logins from overseas starting on November 27, 2025. Furthermore, secondary damage occurred when emails were sent from the affected account to multiple recipients. This incident highlights the importance of endpoint protection and the risks posed by the continued use of legacy systems.

Massive spam email sent due to flaws in the email server configuration at Nara Women's University.

Nara Women's University, a national university corporation under the Nara National University Organization, announced on March 30th that it had received spam emails due to a configuration error in its email sending server (SMTP server). This was a large-scale incident in which 178,782 spam emails were sent, as the server was used by a third party as a stepping stone for sending spam. Because the incident was only discovered after being reported by an external organization, it took time to fully grasp the extent of the damage. This incident highlights the importance of basic system configuration and the need for a proactive monitoring system that does not rely on external reports.

Five specific cybersecurity measures that should be implemented on the ground now

Here are five practical measures that practitioners can immediately implement, based on the four incidents we've covered this week.

1. Strengthen and implement endpoint protection, and perform threat scans at least once a month. Malware infections on PC terminals become an entry point for the theft of authentication credentials. As we can learn from the Zetton case, implement EDR (Endpoint Detection and Response) on all terminals and perform threat scans at least once a month. Terminals using legacy systems should be given particular priority.

2. Regular Inventory and Audit of System Settings The mail server configuration issue at Nara Women's University could have been prevented with basic configuration checks. Let's establish a system to inventory all company-wide system settings (especially mail servers, firewalls, and cloud storage) at least once a month to check for any inappropriate settings.

3. The case of formalizing security requirements for subcontractors and supply chains and conducting regular audits demonstrates that attacks on subcontractors can endanger your own customer information. Ensure that security requirements are clearly stated in contracts with all subcontractors and conduct regular audits. Verifying ransomware countermeasures and backup systems is especially crucial.

4. Stricter Credential Management and Implementation of Multi-Factor Authentication (MFA) In the Zetton case, credentials were stolen due to malware infection. Implement multi-factor authentication for all critical systems and enforce the use of password management tools. Especially for accounts on older systems, set expiration dates by default and require regular password changes.

5. Establishing an Incident Detection System and Reducing Reliance on External Reporting: Seed Planning's damage was discovered through external reports and anomaly detection. It is necessary to establish a system that allows the company to proactively detect threats internally by building a Security Operations Center (SOC), automating log monitoring, and setting up anomaly detection alerts.

How PIPELINE can help you

This presentation will explain how PIPELINE's product suite can prevent, detect, and respond to the threat types observed in this week's incidents.

[Measures against ransomware attacks] RiskSensor visualizes vulnerabilities within the network and externally exposed assets, proactively identifying vulnerabilities that could serve as entry points for ransomware attacks. ThreatIDR detects lateral spread after intrusion and blocks attacks before file encryption occurs. DatalaiQ monitors the integrity of backup data and supports rapid recovery from ransomware attacks.

[Measures against malware infection and credential theft] ThreatIDR detects malware activity on endpoints and prevents credential theft. RiskSensor identifies vulnerabilities that cause malware infections and prioritizes patching. DatalaiQ detects abnormal access patterns to credential information and prevents unauthorized logins.

[Measures against system configuration errors and data leaks] RiskSensor automatically detects configuration errors in email servers, cloud storage, etc., and provides improvement suggestions. DatalaiQ detects data that has been exposed externally due to improper configuration and immediately notifies the user. Continuous monitoring prevents configuration drift and ensures compliance requirements are met.

sauce

1. Kawasaki City [Press Release] Regarding Unauthorized Access Damage to Contracted Service Provider's Servers

https://www.city.kawasaki.jp/templates/prs/280/0000186072.html

2. Notice and Apology Regarding Unauthorized Access to Zetton Corporation's Old Email System

https://www.zetton.co.jp/news/20260327

3. 178,782 spam emails sent – Nara Women's University's email sending server had a configuration

https://scan.netsecurity.ne.jp/article/2026/04/10/55025.html

✦ Finally

Thank you for reading this far.

We at PIPELINE Corporation are a group of experts specializing in cybersecurity and threat intelligence.

We face threats together with our customers on-site every day.

"Even if we have a specialized team within the company, we lack the resources," "We don't know where to start," and "We want to prepare realistically, assuming we will be attacked."

We receive many inquiries like this. Regardless of the size of the company, the current situation is that weak points in defenses are easily targeted.

Furthermore, trying to handle everything internally inevitably makes it easier for things to be overlooked.

That's why we focus on practical methods that are useful in the field, rather than idealistic theories, and propose a small-scale, easy-to-implement approach. Even "a small step within your capabilities" can make a big difference in safety.

If you have any concerns at all, please feel free to contact us. Let's work together to find the quickest way to strengthen your security.