As cyber threats become increasingly sophisticated, the group known as MirrorFace, linked to China and believed to be a faction of state-sponsored APT10, has made headlines for breaching over 200 organizations in Japan alone. This subgroup focuses on cyber espionage, targeting sensitive information related to national security and advanced technologies. Their operations have involved a range of malware tools, including ANEL, LODEINFO, and NOOPDOOR, which they’ve deployed in meticulously planned attacks over the last five years.
From 2019 to 2023, MirrorFace primarily hit Japanese government bodies, think tanks, and media organizations using spear-phishing techniques and various types of malware. In 2023, they expanded their reach to exploit vulnerabilities in the semiconductor and aerospace sectors, targeting critical industries. By January 2024, the group was actively infiltrating think tanks and academic institutions, potentially aiming for long-term information gathering. Their tactics became even more aggressive as they utilized ANEL malware in phishing campaigns directed at think tanks and politicians starting in June 2024.
MirrorFace’s malware arsenal is notable for its variety and evolution. They’ve leveraged tools like LODEINFO, LilimRAT, NOOPDOOR, and AsyncRAT in various campaigns. Their advanced techniques, such as executing malware in Windows Sandbox environments, help them evade detection, while Visual Studio Code Remote Tunnels provide stealthy access. Ingeniously crafted phishing emails lure victims into opening malware-laden attachments, showcasing their strategic planning and execution. They’ve also employed PowerShell exploits to execute commands without raising alarms, further exemplifying their use of advanced techniques.
The impact of MirrorFace’s activities on Japan is significant. With over 200 confirmed breaches targeting sensitive sectors like aerospace, semiconductor firms, and defense, the risks to Japan’s technological and military advantages are considerable. High-profile attacks on entities like JAXA and the Port of Nagoya highlight the critical incidents that have raised alarms. In response, Japan’s National Police Agency (NPA) and National Information Security Center (NISC) have ramped up efforts to counter these threats.
Now, MirrorFace’s ambitions appear to be extending beyond Japan, as they recently targeted a European diplomatic entity in Operation AkaiRyū. This operation, which utilized ANEL and AsyncRAT, indicates a shift in China’s cyber espionage strategy, raising concerns about the global spread of such threats. As they hone their phishing tactics, the world watches closely, aware that this group’s reach could pose increasing risks to international cybersecurity.
