top of page

Latest Articles

[June 2026] Top 4 Incidents Concerning Japanese Companies This Month — From BEC Fraud to Waves of Attacks on Overseas Branches

  • 2 days ago
  • 5 min read

This month saw a series of cyberattacks targeting Japanese companies. Reports included large-scale fund outflows due to business email compromise (BEC), unauthorized access to ISP email systems, and organized ransomware attacks on multiple overseas locations. Particularly noticeable were the increases in damages transmitted through subcontractors and attacks on overseas subsidiaries, highlighting the urgent need to strengthen security across the entire supply chain.


BEC fraud targeting Jellybeans Group — 45 million yen stolen through emails impersonating company executives and employees.

On June 11, 2026, Jellybeans Group Co., Ltd. announced a fund outflow resulting from an unauthorized transfer instruction. On June 3, a third party impersonating an officer or employee of the company made an unauthorized transfer instruction, and approximately 45 million yen was transferred to an external account, exploiting a loophole in the verification system. Once funds are outflowing to an external party, recovery becomes difficult, making prevention more important than reactive measures.


KDDI's email system for ISP operators compromised — up to 14.22 million authentication credentials leaked.

On June 23, KDDI Corporation announced that its email system for ISP operators had been compromised by unauthorized access. The company's email system was attacked on June 17, potentially resulting in the leakage of up to 14.22 million email addresses and passwords. Multiple ISP operators were affected, making this a typical case of damage transmitted through a contracted service provider.


Yamaichi Electric's Philippine subsidiary suffers ransomware attack — Initial intrusion route cannot be identified due to log deletion.

Yamaichi Electric Co., Ltd., a company listed on the Tokyo Stock Exchange Prime, announced on June 15th its final report regarding a ransomware attack at its Philippine subsidiary, Pricon Microelectronics. Some servers were infected with ransomware on April 17th, and because the attackers encrypted and deleted logs, the initial intrusion route has not been fully identified. This highlights the difficulty of responding to attacks on overseas locations.


Unauthorized access to two overseas companies of Sapporo Holdings

On June 24, Sapporo Holdings Ltd. announced that two of its overseas group companies had been subjected to unauthorized access. Overseas locations tend to have weaker security measures than the head office, making them ideal targets for attackers.



Five specific cybersecurity measures that should be implemented on the ground now


1. Enhanced multi-factor authentication and identity verification processes for money transfer instructions.

BEC scams exploit lax verification systems. Especially for large transfers, implement identity verification via phone or video call, rather than relying solely on email. It's crucial to establish a rule that email instructions impersonating company officers or employees must always be verified through a separate channel.


2. Monthly implementation of security risk audits via ISPs and contractors.

Critical infrastructure managed by external vendors, such as email systems, must undergo regular security audits. Establish a system to verify the vendor's vulnerability patch application status and authentication encryption methods at least once a month.


3. Establishment of log monitoring and backup strategies for overseas locations.

It's not uncommon for logs to be deleted in ransomware attacks, making post-incident investigations difficult. An architecture that automatically transfers logs from overseas branches to the head office system to protect them from deletion by attackers is essential.


4. Regular evaluation of the security systems of overseas group companies

Overseas subsidiaries may not be subject to the same strict security rules as the head office. At a minimum, evaluate the security status of overseas locations using a checklist at least quarterly and maintain the same level of security measures as the head office.


5. Pre-design of the initial intrusion path identification process during incident response.

When a ransomware infection occurs, a process is needed to identify the initial intrusion route before logs are deleted. Consider implementing an EDR (Endpoint Detection and Response) tool and securing a 24/7 support line with external experts.



What you can do at PIPELINE Co., Ltd.

PIPELINE Corporation's three main products provide comprehensive protection against these four threats.


RiskSensor (External risk intelligence, attack surface visualization, dark web monitoring)

The BEC (Business Email Compromise) incident at Jellybeans Group and the authentication information leak seen in the KDDI case demonstrate how attackers collect and exploit information from companies and related organizations in advance.

RiskSensor continuously monitors externally accessible assets, including those of your company, subsidiaries, affiliates, and contractors, to detect configuration errors, vulnerabilities, and leaked credentials early. Furthermore, by identifying credentials circulating on the dark web and signs of impending attacks, it supports preventative measures before damage occurs.


ThreatIDR (DNS-level threat blocking, malware/C2 communication blocking)

In ransomware attacks on Yamaichi Electric's Philippine subsidiary and unauthorized access to overseas group companies, it is common for attackers to expand their activities by communicating with external servers after gaining in.

ThreatIDR detects and blocks threat communications at the DNS level, blocking communication with malware-infected devices and attackers' command and control (C2) servers. This prevents ransomware execution, data theft, and lateral spread within the organization at an early stage, thus preventing further damage.


DatalaiQ (Threat Hunting, Log Analysis, Incident Investigation)

In ransomware attacks and unauthorized access, the ability to quickly identify the intrusion route and the scope of impact is crucial in determining the extent of the damage. However, as in the case of Yamaichi Electric, logs are often deleted by the attackers.

DatalaiQ analyzes logs collected from network devices, servers, cloud services, and other sources across the board to support threat hunting and incident investigation. By visualizing security data across the entire group, including domestic and international locations, it accelerates the identification of initial intrusion routes and the assessment of the extent of damage, thereby supporting recovery efforts.


✦ Finally


Thank you for reading this far.

At PIPELINE Corporation, we are a group of experts specializing in cybersecurity and threat intelligence, and we work alongside our clients on the front lines every day to address threats.

"Even if we have a specialized team within the company, we lack the resources," "We don't know where to start," and "We want to prepare realistically, assuming we will be attacked."

We receive many inquiries like this. Regardless of the size of the company, the current situation is that weak points in defenses are easily targeted.

Furthermore, trying to handle everything internally inevitably makes it easier for things to be overlooked.

That's why we focus on practical methods that are useful in the field, rather than idealistic theories, and propose a small-scale, easy-to-implement approach. Even "a small step within your capabilities" can make a big difference in safety.

If you have any concerns at all, please feel free to contact us. Let's work together to find the quickest way to strengthen your security.





Latest Articles

bottom of page