Introduction
Japan has been the target of an ongoing cyberattack campaign led by a China-linked threat actor known as MirrorFace. Since 2019, this group has systematically targeted Japanese organizations, businesses, and individuals, aiming to steal sensitive information related to national security and advanced technologies. The National Police Agency (NPA) and the National Center of Incident Readiness and Strategy for Cybersecurity (NCSC) have closely monitored these attacks, shedding light on the tactics and tools employed by this sophisticated threat actor.
MirrorFace: Origins and Objectives
MirrorFace, also identified as Earth Kasha, is believed to be a sub-group of the Advanced Persistent Threat (APT) group APT10. This cyber espionage collective has a history of focusing on Japanese entities, utilizing advanced tools such as ANEL, LODEINFO, and NOOPDOOR (also known as HiddenFace). The primary goal of their campaigns is to gather intelligence on Japan's critical infrastructure, national security, and cutting-edge technological developments.
Campaign Strategies and Tools
MirrorFace's operations have been categorized into distinct campaigns based on their targets and methods:
Campaign A (2019–2023):
This campaign focused on think tanks, government agencies, politicians, and media outlets. The attackers employed spear-phishing emails to deliver malware such as LODEINFO, NOOPDOOR, and LilimRAT—a modified version of the open-source Lilith RAT.Campaign B (2023):
Aimed at sectors like semiconductor manufacturing, communications, academia, and aerospace, this campaign exploited vulnerabilities in widely used network devices, including those from Array Networks, Citrix, and Fortinet. The breaches facilitated the deployment of tools like Cobalt Strike Beacon, LODEINFO, and NOOPDOOR.Campaign C (2024–Present):
This ongoing campaign targets academia, think tanks, politicians, and media organizations through spear-phishing emails designed to deliver ANEL, also known as UPPERCUT.
Advanced Techniques in Cyber Espionage
MirrorFace employs sophisticated methods to evade detection and maintain persistence. A key technique involves using Visual Studio Code remote tunnels to create hidden connections, enabling the attackers to bypass traditional network defenses and remotely control compromised systems.
Additionally, the group has been observed leveraging the Windows Sandbox feature to execute malicious payloads in an isolated environment. This approach allows malware to run undetected by antivirus programs or Endpoint Detection and Response (EDR) tools. The temporary nature of the Windows Sandbox ensures that no traces of the attack remain once the host system is restarted or shut down.
Conclusion
The sustained and evolving nature of MirrorFace’s operations highlights the significant cybersecurity challenges faced by nations like Japan. By leveraging advanced tools and techniques, this threat actor has demonstrated a high level of sophistication in targeting critical sectors and individuals. The NPA and NCSC continue to play a crucial role in uncovering and mitigating these threats. Strengthened cybersecurity measures and global collaboration will be essential in combating such persistent cyber threats in the future.
0 Comments