The notorious Chinese advanced persistent threat (APT) group known as “MirrorFace” has recently expanded its operations into the European Union, engaging in diplomatic espionage using the increasingly popular SoftEther VPN tool.
MirrorFace first gained significant attention in 2022 for its interference in Japanese elections, and has since continued its activities in the country. However, researchers at ESET have now observed the group targeting an unidentified diplomatic entity within the EU.
Jean-Ian Boutin, the director of threat research at ESET, noted that this is the first time MirrorFace has been seen targeting a diplomatic organization in the EU. The region, he stated, is a focal point for various threat actors aligned with China, North Korea, and Russia, many of whom are particularly interested in governmental entities and the defense sector.
In addition to expanding its operations into an entirely new continent, ESET revealed that MirrorFace and other China-backed APTs, such as Flax Typhoon, Gallium, and Webworm, have been increasingly relying on SoftEther VPN, an open source, cross-platform VPN software favored by cybercriminals.
Earlier this year, a new adversary group named Hydrochasma was discovered abusing SoftEther VPN in a cyber-espionage campaign against Asia-based shipping companies. Similarly, the Chinese language-speaking threat group ToddyCat was found using SoftEther VPN to steal data from government and defense targets in the Asia-Pacific region on a large scale.
Now, these tactics have made their way to Europe, with researchers warning of the potential implications. Mathiew Tartare, a senior malware researcher at ESET, explained that some China-aligned APT groups have shifted to relying more on SoftEther VPN due to its ability to help avoid detection. By setting up an HTTPS VPN tunnel between the compromised network and the attacker’s infrastructure, malicious traffic can easily blend in with legitimate traffic.
Tartare emphasized that SoftEther VPN allows attackers to appear as authorized remote users accessing the network using everyday remote desk protocol (RDP) tools. He also predicted an increase in the use of legitimate VPN or remote access tools by threat actors to evade detection and blend into legitimate traffic.
Furthermore, Chinese-backed APTs are reportedly sharing their cybercrime expertise with Iranian-backed adversaries for cyber-espionage activities against various targets. Iran, on the other hand, is directing its hackers to gain unauthorized access into financial services organizations across Africa.
The ESET report also highlighted an increase in cyber attacks by Chinese and North Korean threat actors on educational institutions in the US, South Korea, and Southeast Asia. The collaboration between different threat actor groups underscores the growing complexity and sophistication of cyber threats on a global scale.