[Japan Threat Intelligence Report] Summary of February 11th to February 25th, 2026

Pipeline regularly monitors cyber activity targeting Japan based on threat intelligence and publicly available information on the dark web. This report summarizes the main trends observed between February 11 and February 25, 2026. This two-week period was particularly notable for attempts to access industrial control systems (SCADA) and the medical and infrastructure sectors, credential theft activities, and ransomware attacks. Japan's Dark Web Trends During this period, multiple activities targeting Japanese SCADA/industrial control systems, medical institutions, monitoring infrastructure, and manufacturing were confirmed. Many of these were not isolated attacks, but rather focused on credential theft and information exfiltration, strongly suggesting the possibility of prior intrusion (pre-positioning).

Major observation examples

• February 11: SCADA industrial plant access attempt

  Initial intrusion indicators into industrial control networks are shared on the dark web, and credential dumps are circulating.

  
  

• February 11: Nippon Medical School Musashi-Kosugi Hospital

  Unauthorized access was confirmed through the exploitation of a vulnerability in a VPN used for medical equipment maintenance, resulting in ransomware damage to nurse call systems and other systems. This was a related incident in which a large-scale leak of patient personal information (initially about 10,000 people, later expanding to 130,000 people) was made public.

  
  

• February 12: CCTV at a spa facility in Sendai

  Intrusion into a surveillance camera system and the theft of video footage and authentication information were observed.

  
  

• February 23: Nichiha Co., Ltd. document leak

  Internal documents for the manufacturing industry were leaked onto the dark web, suggesting that they may be evidence of a long-term intrusion.

  
  

These cases show that attackers are increasingly using VPNs/remote access systems or legacy devices that do not have MFA installed as a starting point to infiltrate, then move laterally through internal networks to steal and exfiltrate authentication information and confidential data. The amount of Japan-related authentication information (corporate domains, account lists) circulating on the dark web has also increased significantly during this period.

Ransomware damage in Japan

On February 18th, a ransomware infection was confirmed at Jojuin Temple (Tochigi Prefecture), a temple of the Shingon sect of Buddhism .

Religious corporations and small local organizations continue to be vulnerable as "soft targets" due to the following structural weaknesses:

• Lack of dedicated IT staff

• No multi-factor authentication (MFA)

• Continued use of legacy OS/devices

• Lack of regular backup and recovery training

  
  

These organizations are more likely to be slow to recover from attacks and are at risk of being forced to pay ransoms.

Data Breach Trends

No new large-scale publicly-announced incidents (leaks of personal information on tens to hundreds of thousands of people) were confirmed during this period, but document leaks in the manufacturing industry and credential theft activities in the medical field have continued to be observed.

In particular, the attack chain of prior intrusion → long-term latency → information theft → double extortion (data disclosure + encryption) has matured, and there are increasing cases where parts of data are bought and sold or made public on the dark web before the damage is made public. Points to watch out for in the future Below is a summary of points to be particularly vigilant about in the coming months.

1. Expanding advance entry into the industrial control field

   Pre-positioning in SCADA/PLC environments is becoming more prevalent. Intrusions by financially motivated criminal groups, rather than nation-state actors, are on the rise.

   
   

2. Increased ransomware attacks on local organizations

   Religious organizations, local government-related organizations, and small and medium-sized manufacturing companies continue to be targeted. Organizations that have not yet implemented MFA should prioritize taking measures.

   
   

3. The rise of information theft-based double extortion

   The combination of encryption and data disclosure has become the norm. Cases of data being posted on leak sites before negotiations have increased dramatically.

   
   

4. Increased circulation of Japan-related credentials on the dark web

   There is a possibility that a large number of dumps of Active Directory and VPN accounts will be distributed. Be careful of secondary damage caused by the misuse of leaked credentials.

   
   

Recommended Actions (Quick Checklist)

• Requiring MFA for all public-facing remote access

• Strengthening network isolation and vulnerability management for SCADA/OT environments

• Regular checks for credential leaks (using dark web monitoring services)

• Regional and small/medium-sized organizations should limit externally exposed ports to a minimum and thoroughly store backups offline.

  
  

Pipeline will continue to track risks within Japan based on real-time threat intelligence. Please contact us for more information on the latest threat trends and specific incident responses .

What PIPELINE does

We help protect Japanese companies from targeted cyber threats.

For example, for manufacturing, medical institutions, critical infrastructure, and local small and medium-sized organizations:

• Continuous scanning and risk visualization of public-facing assets (domains, servers, VPNs, cloud configurations, etc.)

• 24-hour monitoring and early detection of leaked credentials, confidential documents, and ransomware-related information on the dark web

• Attack Surface Management and Prioritization from an Attacker's Perspective

• Real-time threat blocking at the DNS level (malware, C2 communications, anti-phishing)

  
  

We also make "invisible risks" visible and provide support to management and security teams. Because it's too late once damage has occurred, we place emphasis on preventative measures and proactive visualization.

You can do it now: Self-check (8 items)

• Do you have a list of all your company's domains and subdomains?

• Are there any old servers or abandoned systems that are publicly available?

• Are there any remaining VPNs or remote access ports that do not have MFA implemented?

• Have you checked to see if your company's domain credentials have been leaked on the dark web?

• Do you regularly assess external risks to your business partners and supply chain?

• Do you know the externally exposed assets in your SCADA/OT environment?

• Do you have proactive monitoring in place to prevent data exposure in the event of a ransomware attack?

• Are you able to prioritize risks and determine how to respond?

  
  

If even three of them get stuck, it's time to use PIPELINE.

We visualize risks from the attacker's perspective and help prevent damage with threat intelligence specialized for Japan and the Asia-Pacific region. Please feel free to contact us.

✦ Conclusion

Thank you for reading this far.

We at PIPELINE Inc. are a group of experts specializing in cybersecurity and threat intelligence.

Every day, we face threats on-site together with our customers.

"Even if we have a specialized team in-house, we don't have enough resources." "I don't know where to start." "I want to prepare realistically, assuming that an attack will occur."

Regardless of the size of a company, the current situation is that weak areas of defense are likely to be targeted.

Furthermore, by keeping things to yourself within the company, it is inevitable that things will be overlooked.

That's why we don't focus on idealism, but instead focus on methods that are useful in the field, proposing ways to start small and easily. Even "one small step within your capabilities" can make a big difference in safety.

If you have any concerns, please feel free to contact us. We will work together to find the best way to strengthen your security in the shortest possible time.