Japan has recently linked a series of cyberattacks targeting its government and private sectors to a Chinese hacker group known as MirrorFace. This group has been active since 2019, employing sophisticated techniques to infiltrate systems and steal sensitive information related to national security and advanced technologies.

Key Takeaways

• Threat Actor: MirrorFace, also known as Earth Kasha, is linked to the Chinese state-sponsored hacking collective APT10.
• Attack Duration: The cyberattacks have been ongoing since December 2019, with over 200 incidents reported.
• Targeted Sectors: Key sectors affected include government agencies, defense organizations, and technology firms.
• Attack Techniques: The group uses advanced malware and phishing tactics to execute their attacks.

Overview Of MirrorFace

MirrorFace has been identified by Japan’s National Police Agency (NPA) and the National Center of Incident Readiness and Strategy for Cybersecurity (NISC) as a significant threat actor. The group is believed to be a subgroup of APT10, notorious for its cyber-espionage activities.

The NPA has reported that the group has targeted various entities, including:

• Government bodies
• Think tanks
• Politicians
• Media outlets

Attack Campaigns

The cyberattacks attributed to MirrorFace can be categorized into several key campaigns:

1. December 2019 to July 2023: Targeted government and media organizations using spear-phishing emails with malware such as LODEINFO and LilimRAT.
2. February to October 2023: Focused on critical sectors like semiconductors and aerospace, exploiting vulnerabilities in network devices to deploy Cobalt Strike Beacon and other malware.
3. June 2024 Onwards: Continued targeting of think tanks and politicians with phishing emails containing ANEL malware.

Advanced Techniques

Used

MirrorFace is known for employing advanced techniques to evade detection. One notable method includes executing malware within the Windows Sandbox, a virtualized environment that prevents persistent infections. This allows the malware to operate undetected by antivirus tools and erase any traces upon system reboot.