A recent announcement by Japan’s National Police Agency (NPA) and the National Center of Incident Readiness and Strategy for Cybersecurity (NISC) has revealed that a prolonged cyber-attack campaign targeting Japanese organizations and individuals since 2019 has been linked to the China-based threat actor known as MirrorFace, also identified as Earth Kasha. This attribution sheds light on the tactics and intentions of this cyber threat group, which has been aiming to steal sensitive information related to Japan’s national security and advanced technologies.
MirrorFace, believed to be a subgroup of the Chinese state-sponsored hacking collective APT10, has been utilizing various malware tools such as ANEL, LODEINFO, and NOOPDOOR to carry out their malicious activities. The attacks have been identified as targeting government bodies, think tanks, politicians, media outlets, as well as sectors like semiconductors, aerospace, and academia through sophisticated techniques like spear-phishing emails and exploiting vulnerabilities in network devices to deploy malicious tools like Cobalt Strike Beacon.
One of the notable aspects of MirrorFace’s operations is their use of advanced techniques, including executing malware within the Windows Sandbox to evade detection by antivirus tools and erase any traces upon system reboot. This method has allowed them to operate undetected and carry out their cyber-attacks with precision.
The NPA has linked MirrorFace to over 200 cyber incidents over a five-year period, impacting government agencies, defense organizations, space research centers, and private firms involved in advanced technologies. The phishing emails used by the threat actor often include themes like “Japan-US alliance” and “Taiwan Strait” to lure targets into downloading malicious attachments, showcasing their sophisticated social engineering tactics.
Some notable incidents linked to MirrorFace’s tactics include a cyber-attack on the Japan Aerospace Exploration Agency (JAXA) and a ransomware incident disrupting the Port of Nagoya in 2023, highlighting the significant impact of their operations on critical infrastructure.
In response to these cyber threats, the NPA has issued a public alert to raise awareness among targeted organizations, businesses, and individuals about the methods used by MirrorFace in their cyber-attacks. The alert also emphasizes the importance of implementing appropriate security measures to prevent further damage and mitigate potential harm from future cyber incidents.
Overall, the attribution of the cyber-attack campaign to MirrorFace sheds light on the evolving threat landscape in cyberspace and underscores the importance of cybersecurity vigilance and preparedness in the face of sophisticated adversaries. It serves as a reminder for organizations and individuals to stay vigilant and proactive in defending against cyber threats in the digital age.