The Chinese hacking group MirrorFace has been cyberattacking Japan since 2019. The attackers mainly aim to gain sensitive information from various Japanese organizations.
The Chinese hacking group MirrorFace has been cyberattacking Japan since 2019. The attackers mainly aim to gain sensitive information from various Japanese organizations. China can use this information to gain a strategic advantage over Japan in a conflict between the two nations.
Japanese authorities, namely the National Police Agency and the National Centre of Incident Readiness and Strategy for Cybersecurity, have warned Japanese organisations about a sophisticated cyberespionage effort from China. This campaign, dubbed “MirrorFace,” is suspected to be state-sponsored and aims to steal valuable technology and sensitive national security secrets. This situation underscores the growing concern surrounding cyberattacks from foreign governments and the critical need for robust cybersecurity measures to safeguard vital national interests.
Japanese authorities said that the advanced persistent threat group (APT) MirrorFace has been targeting Japanese since 2019. In response to the attack, Japanese authorities have issued an alert to raise awareness among targeted organisations, businesses, and individuals about the cyber threats they face. The warning aims to ensure that these entities implement appropriate security measures to prevent and mitigate damage caused by cyberattacks, ultimately bolstering the nation’s cybersecurity posture.
Japanese law enforcement has identified three distinct phases in the cyberattack called the MirrorFace attack. First, the attack was observed between 2019 and 2023 and involved an elaborate phishing campaign targeting a wide range of critical entities, including think tanks, government agencies, and political figures. These targeted phishing attacks were designed to deliver malicious software, granting the attackers unauthorised access to sensitive systems and enabling them to exfiltrate valuable data.
Second, in 2023, MirrorFace significantly altered its tactics. The group shifted its focus towards exploiting known vulnerabilities in network devices across various critical sectors, such as healthcare, manufacturing, information and communications, education, and aerospace. The exploitation of vulnerabilities is widely used in network devices like Fortinet FortiOS and FortiProxy (CVE-2023-28461), Citrix ADC (CVE-2023-27997) and Citrix Gateway (CVE-2023-3519).
From February to October 2023, MirrorFace exploited an SQL injection vulnerability in an external public server, providing a secondary entry point for accessing Japanese organisations.
Third, In June 2024, a renewed phishing campaign targeted media outlet, think tanks, and Japanese politicians. The tactics used by the attackers are spear-phishing emails, which serve as the primary attack vector. These emails are designed to deliver the malicious malware known as ANEL.
This excerpt describes a sophisticated cyberattack campaign using Visual Studio Code remote tunnels to establish covert connections. This allows attackers to bypass network defences and remotely control compromised systems.
The attackers execute malicious payloads within the Windows Sandbox to evade detection by antivirus software and endpoint detection and response systems. The Windows Sandbox environment also helps erase the attack's traces, making it difficult to investigate.
This method demonstrates high sophistication, as attackers actively seek to evade detection and hinder investigation by exploiting security features and unconventional methods. The campaign also exhibits persistence, with attackers maintaining access to compromised systems since at least June 2023.
This type of attack highlights the evolving nature of cyber threats, emphasising the need to continuously adapt security measures and proactive defence strategies to stay ahead of sophisticated attacks.
Want your digital assets to be protected?
CyberShelter provides innovative and modern cybersecurity products and niche services to individuals and organization against all kinds of cyber threats.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.