The Secrets of Japan Are Being Ransacked by a Chinese APT Group

The National Center of Incident Readiness and Strategy for Cybersecurity and the National Police Agency alerted Japanese organizations to a sophisticated cyber-espionage operation known as "MirrorFace" that was supported by the Chinese government and aimed at stealing technological and national security secrets. According to Japanese officials, MirrorFace, an advanced persistent threat organization (APT), has been active since 2019.

"By publicizing the modus operandi of 'MirrorFace' cyberattacks, the purpose of this alert is to make targeted organizations, business operators, and individuals aware of the threats they face in cyberspace and to encourage them to take appropriate security measures to prevent the damage caused by cyberattacks from spreading and to prevent damage from occurring in the first place," according to a statement released by Japanese police.

Cyberattacks Against Japan by MirrorFace

Three varieties of MirrorFace have been detected by Japanese police. According to the warning released by Japan's National Police Agency and translated into English, MirrorFace's most ancient and persistent method of stealing Japanese secrets was a complex phishing campaign that ran from 2019 to 2023 with the goal of infecting the nation's governments, politicians, and think tanks with malware.

The police added that in 2023, MirrorFace changed its focus to identifying vulnerabilities in network devices used in manufacturing, healthcare, information and communications, education, and aerospace. MirrorFace took advantage of flaws in Citrix ADC (CVE-2023-27997), Citrix Gateway (CVE-2023-3519), and Fortinet FortiOS and FortiProxy (CVE-2023-28461).

According to investigators, another phishing effort that started in June 2024 targeted Japanese lawmakers, think tanks, and the media using simple phishing techniques. Additionally, between February and October of 2023, the group was seen taking advantage of an  SQL injection on a public external server to access Japanese companies.

The disclosures of MirrorFace's operations coincide with previous high-profile Chinese-sponsored hacks perpetrated by a fellow APT outfit called "Salt Typhoon" against international and US telecom businesses, as well as the IRS. Mark Bowling, the current chief information security and risk officer at ExtraHop and a former FBI special agent, said MirrorFace seemed to be functioning as a People's Liberation Army (PLA) cyber-warfare unit.

"Since 2019, the MirrorFace APT has consistently utilized well-crafted spear-phishing campaigns, and used weaponized code/logic such as LODEINFO and MirrorStealer to steal credentials, escalate privileges, and exfiltrate data which could be utilized to better position the PLA in the event of hostilities with Japan," Bowling stated. Bowling predicts that APT activity would increase in response to the ongoing global geopolitical tensions, especially from nation-state actors targeting the United States.

"The consequences of those strained relations over Ukraine, Taiwan, and the ongoing Iran hostility against Israel through its proxies are now increasingly spilling over into aggressive and relentless digital campaigns," Bowling clarifies. "There is no doubt threats from nation-state groups will increase in volume and sophistication this year, targeting our critical infrastructure like utilities, telecommunications, and healthcare."