Japan Faces Prolonged Cyber-Attacks Linked to China’s MirrorFace

Posted on by Admin
Japan Faces Prolonged Cyber-Attacks Linked to China’s MirrorFace

Related Post


A prolonged cyber-attack campaign targeting Japanese organizations and individuals since 2019 has been attributed to the China-linked threat actor MirrorFace, also known as Earth Kasha, by Japan’s National Police Agency (NPA) and the National Center of Incident Readiness and Strategy for Cybersecurity (NISC).

The attacks aimed to steal sensitive information related to Japan’s national security and advanced technologies. MirrorFace is believed to be a subgroup of the Chinese state-sponsored hacking collective APT10, known for using malware tools such as ANEL, LODEINFO and NOOPDOOR.

These are some of the key attack campaigns identified:

  • December 2019 to July 2023: Targeted government bodies, think tanks, politicians and media outlets using spear-phishing emails with malware including LODEINFO, LilimRAT and NOOPDOOR

  • February to October 2023: Focused on sectors like semiconductors, aerospace and academia by exploiting vulnerabilities in network devices to deploy Cobalt Strike Beacon, LODEINFO and NOOPDOOR

  • June 2024 onwards: Targeted think tanks, politicians and media with phishing emails carrying ANEL malware

Authorities noted that MirrorFace often used advanced techniques, such as executing malware within the Windows Sandbox, a virtualized environment that prevents persistent infections. This method allowed malware to operate undetected by antivirus tools and erasing any traces upon system reboot.

Read more on Chinese cyber-threats: China Targets US Hacking Ops in Media Offensive

The NPA linked MirrorFace to over 200 cyber incidents during the five-year period, affecting government agencies, defense organizations, space research centers and private firms involved in advanced technologies. Some phishing emails included themes like “Japan-US alliance” and “Taiwan Strait” to lure targets into downloading malicious attachments.

Notable incidents linked to similar tactics include a cyber-attack on the Japan Aerospace Exploration Agency (JAXA) and a ransomware incident disrupting the Port of Nagoya in 2023. 

“This alert aims to raise awareness among targeted organizations, businesses, and individuals about the threats they face in cyberspace by publicly disclosing the methods used in the cyber-attacks by ‘MirrorFace,’” warned the NPA.

“It also seeks to encourage the implementation of appropriate security measures to prevent the expansion of damage from cyber-attacks and to avert potential harm.”



Source link

Leave a Comment