Shadow Tunnels: MirrorFace's Ongoing Cyber Espionage Campaign Against Japan

Japan's National Police Agency (NPA) and the National Center of Incident Readiness and Strategy for Cybersecurity (NCSC) have accused a China-linked threat group, known as MirrorFace, of conducting an ongoing cyberattack campaign targeting Japanese organizations, businesses, and individuals since 2019.

  Asia Cyber affairs News   Jan 10, 2025  Add to Reading List
Shadow Tunnels: MirrorFace's Ongoing Cyber Espionage Campaign Against Japan

Japan's National Police Agency (NPA) and the National Center of Incident Readiness and Strategy for Cybersecurity (NCSC) have accused a China-linked threat group, known as MirrorFace, of conducting an ongoing cyberattack campaign targeting Japanese organizations, businesses, and individuals since 2019.

The primary aim of the campaign is to exfiltrate sensitive information related to Japan's national security and advanced technology, according to the agencies.

MirrorFace, also referred to as Earth Kasha, is believed to be a subgroup of the advanced persistent threat group APT10. The group is known for its consistent focus on Japanese targets, often employing tools such as ANEL, LODEINFO, and NOOPDOOR (also called HiddenFace).

In December, cybersecurity firm Trend Micro detailed a spear-phishing campaign attributed to MirrorFace, which aimed to deliver ANEL and NOOPDOOR malware to Japanese individuals and organizations. Similar campaigns have also been directed at entities in Taiwan and India in recent years.

The NPA and NCSC have classified MirrorFace's attacks into three major campaigns:

  1. Campaign A (December 2019 – July 2023): Targeted think tanks, government agencies, politicians, and media outlets through spear-phishing emails to deploy malware such as LODEINFO, NOOPDOOR, and a modified version of Lilith RAT called LilimRAT.

  2. Campaign B (February – October 2023): Focused on the semiconductor, manufacturing, communications, academic, and aerospace sectors by exploiting vulnerabilities in internet-facing devices from Array Networks, Citrix, and Fortinet to deliver Cobalt Strike Beacon, LODEINFO, and NOOPDOOR.

  3. Campaign C (June 2024 onward): Aimed at academia, think tanks, politicians, and media organizations, utilizing spear-phishing emails to deliver the ANEL malware, also known as UPPERCUT.

The attacks are notable for employing Visual Studio Code remote tunnels to establish concealed connections, enabling the attackers to bypass network defenses and remotely control compromised systems.

The agencies also observed instances where malicious payloads were executed covertly on the host system using the Windows Sandbox environment. This approach allows the malware to evade detection by antivirus software or endpoint detection and response (EDR) systems. Additionally, traces of the attack are erased when the host computer is rebooted or shut down, leaving no evidence behind, the agencies stated.

Tags